Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Updated Order COA.doc

Overview

General Information

Sample Name:Updated Order COA.doc
Analysis ID:435312
MD5:59f9c2a162cf48fe5819f58b697c107c
SHA1:f8702f19bae3a9f2dd1fca58f6eae3d6e62d4878
SHA256:23a865d4a1205be496c45012233d96255c90102e3925dab252d30d9a70f82ba9
Tags:doc
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious Process Start Without DLL
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Adds / modifies Windows certificates
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Connects to a URL shortener service
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 1748 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • EQNEDT32.EXE (PID: 2624 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • 098765.exe (PID: 2428 cmdline: C:\Users\Public\098765.exe MD5: 5688C69C4379841EEE42DCAEC2DBF55A)
      • RegAsm.exe (PID: 2896 cmdline: C:\Users\user\AppData\Local\Temp\RegAsm.exe MD5: ADF76F395D5A0ECBBF005390B73C3FD2)
        • schtasks.exe (PID: 2456 cmdline: 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7790.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
  • taskeng.exe (PID: 2536 cmdline: taskeng.exe {6204476F-CB6D-41BF-A018-07A92169AAA2} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1] MD5: 65EA57712340C09B1B0C427B4848AE05)
    • RegAsm.exe (PID: 2592 cmdline: C:\Users\user\AppData\Local\Temp\RegAsm.exe 0 MD5: ADF76F395D5A0ECBBF005390B73C3FD2)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "18773cd6-e296-4327-b004-0088e2e8", "Group": "WEALTH", "Domain1": "185.140.53.154", "Domain2": "wealthybillionaire.ddns.net", "Port": 5540, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x3185:$a: NanoCore
    • 0x31de:$a: NanoCore
    • 0x321b:$a: NanoCore
    • 0x3294:$a: NanoCore
    • 0x1693f:$a: NanoCore
    • 0x16954:$a: NanoCore
    • 0x16989:$a: NanoCore
    • 0x2f933:$a: NanoCore
    • 0x2f948:$a: NanoCore
    • 0x2f97d:$a: NanoCore
    • 0x31e7:$b: ClientPlugin
    • 0x3224:$b: ClientPlugin
    • 0x3b22:$b: ClientPlugin
    • 0x3b2f:$b: ClientPlugin
    • 0x166fb:$b: ClientPlugin
    • 0x16716:$b: ClientPlugin
    • 0x16746:$b: ClientPlugin
    • 0x1695d:$b: ClientPlugin
    • 0x16992:$b: ClientPlugin
    • 0x2f6ef:$b: ClientPlugin
    • 0x2f70a:$b: ClientPlugin
    00000005.00000002.2356733340.0000000000920000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xf7ad:$x1: NanoCore.ClientPluginHost
    • 0xf7da:$x2: IClientNetworkHost
    00000005.00000002.2356733340.0000000000920000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xf7ad:$x2: NanoCore.ClientPluginHost
    • 0x10888:$s4: PipeCreated
    • 0xf7c7:$s5: IClientLoggingHost
    00000005.00000002.2356733340.0000000000920000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 21 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.098765.exe.35098d0.9.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe38d:$x1: NanoCore.ClientPluginHost
      • 0xe3ca:$x2: IClientNetworkHost
      • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      4.2.098765.exe.35098d0.9.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe105:$x1: NanoCore Client.exe
      • 0xe38d:$x2: NanoCore.ClientPluginHost
      • 0xf9c6:$s1: PluginCommand
      • 0xf9ba:$s2: FileCommand
      • 0x1086b:$s3: PipeExists
      • 0x16622:$s4: PipeCreated
      • 0xe3b7:$s5: IClientLoggingHost
      4.2.098765.exe.35098d0.9.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        4.2.098765.exe.35098d0.9.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xe0f5:$a: NanoCore
        • 0xe105:$a: NanoCore
        • 0xe339:$a: NanoCore
        • 0xe34d:$a: NanoCore
        • 0xe38d:$a: NanoCore
        • 0xe154:$b: ClientPlugin
        • 0xe356:$b: ClientPlugin
        • 0xe396:$b: ClientPlugin
        • 0xe27b:$c: ProjectData
        • 0xec82:$d: DESCrypto
        • 0x1664e:$e: KeepAlive
        • 0x1463c:$g: LogClientMessage
        • 0x10837:$i: get_Connected
        • 0xefb8:$j: #=q
        • 0xefe8:$j: #=q
        • 0xf004:$j: #=q
        • 0xf034:$j: #=q
        • 0xf050:$j: #=q
        • 0xf06c:$j: #=q
        • 0xf09c:$j: #=q
        • 0xf0b8:$j: #=q
        4.2.098765.exe.35098d0.9.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 64 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 2896, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

        Exploits:

        barindex
        Sigma detected: File Dropped By EQNEDT32EXEShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2624, TargetFilename: C:\Users\Public\098765.exe

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 2896, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

        System Summary:

        barindex
        Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
        Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\Public\098765.exe, CommandLine: C:\Users\Public\098765.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\098765.exe, NewProcessName: C:\Users\Public\098765.exe, OriginalFileName: C:\Users\Public\098765.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2624, ProcessCommandLine: C:\Users\Public\098765.exe, ProcessId: 2428
        Sigma detected: Execution from Suspicious FolderShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\Public\098765.exe, CommandLine: C:\Users\Public\098765.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\098765.exe, NewProcessName: C:\Users\Public\098765.exe, OriginalFileName: C:\Users\Public\098765.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2624, ProcessCommandLine: C:\Users\Public\098765.exe, ProcessId: 2428
        Sigma detected: Suspicious Process Start Without DLLShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ParentCommandLine: C:\Users\Public\098765.exe, ParentImage: C:\Users\Public\098765.exe, ParentProcessId: 2428, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 2896
        Sigma detected: Possible Applocker BypassShow sources
        Source: Process startedAuthor: juju4: Data: Command: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ParentCommandLine: C:\Users\Public\098765.exe, ParentImage: C:\Users\Public\098765.exe, ParentProcessId: 2428, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 2896

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 2896, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 2896, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "18773cd6-e296-4327-b004-0088e2e8", "Group": "WEALTH", "Domain1": "185.140.53.154", "Domain2": "wealthybillionaire.ddns.net", "Port": 5540, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\PC[1].txtReversingLabs: Detection: 22%
        Source: C:\Users\Public\098765.exeReversingLabs: Detection: 22%
        Multi AV Scanner detection for submitted fileShow sources
        Source: Updated Order COA.docReversingLabs: Detection: 17%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.2356733340.0000000000920000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.2121391724.0000000003329000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.2356337406.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.2357249695.00000000028F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.2121733076.00000000034D6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.2121559975.00000000033D8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 098765.exe PID: 2428, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2896, type: MEMORY
        Source: Yara matchFile source: 4.2.098765.exe.35098d0.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.35098d0.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.39401dc.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.340b8e2.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.924629.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.343e5c2.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.39401dc.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.343e5c2.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.34d6c12.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.3471292.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.340b8e2.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.3471292.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.920000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.3944805.13.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.920000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.34d6c12.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.393b3a6.14.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\PC[1].txtJoe Sandbox ML: detected
        Source: C:\Users\Public\098765.exeJoe Sandbox ML: detected
        Source: 5.2.RegAsm.exe.920000.6.unpackAvira: Label: TR/NanoCore.fadte
        Source: 5.2.RegAsm.exe.400000.1.unpackAvira: Label: TR/Dropper.Gen

        Exploits:

        barindex
        Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\098765.exe
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\098765.exe
        Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
        Source: unknownHTTPS traffic detected: 67.199.248.10:443 -> 192.168.2.22:49167 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 82.221.105.125:443 -> 192.168.2.22:49168 version: TLS 1.2
        Source: Binary string: RegAsm.pdb source: RegAsm.exe, RegAsm.exe.4.dr
        Source: C:\Users\Public\098765.exeCode function: 4x nop then jmp 002D8BA8h
        Source: global trafficDNS query: name: bit.ly
        Source: global trafficTCP traffic: 192.168.2.22:49167 -> 67.199.248.10:443
        Source: global trafficTCP traffic: 192.168.2.22:49167 -> 67.199.248.10:443

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: 185.140.53.154
        Source: Malware configuration extractorURLs: wealthybillionaire.ddns.net
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: wealthybillionaire.ddns.net
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEDNS query: name: bit.ly
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEDNS query: name: bit.ly
        Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.140.53.154:5540
        Source: Joe Sandbox ViewIP Address: 82.221.105.125 82.221.105.125
        Source: Joe Sandbox ViewIP Address: 185.140.53.154 185.140.53.154
        Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
        Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{248C44A0-30CA-4646-ACFF-79FC9E14ADCB}.tmpJump to behavior
        Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
        Source: unknownDNS traffic detected: queries for: bit.ly
        Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.2.drString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
        Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
        Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
        Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
        Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
        Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
        Source: 098765.exe, 00000004.00000002.2125459036.0000000005DFF000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
        Source: 77EC63BDA74BD0D0E0426DC8F8008506.2.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
        Source: RegAsm.exeString found in binary or memory: http://go.microsoft.
        Source: 098765.exe, 00000004.00000003.2105300256.0000000004B43000.00000004.00000001.sdmpString found in binary or memory: http://n.f
        Source: 098765.exe, 00000004.00000003.2105300256.0000000004B43000.00000004.00000001.sdmp, 098765.exe, 00000004.00000003.2117350374.0000000004B43000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/s
        Source: 098765.exe, 00000004.00000003.2105300256.0000000004B43000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobede
        Source: 098765.exe, 00000004.00000003.2105300256.0000000004B43000.00000004.00000001.sdmpString found in binary or memory: http://ns.ao
        Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
        Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
        Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
        Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
        Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com05
        Source: 098765.exe, 00000004.00000002.2125459036.0000000005DFF000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
        Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net03
        Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net0D
        Source: 098765.exe, 00000004.00000002.2118233396.0000000002320000.00000004.00000001.sdmp, 098765.exe, 00000004.00000002.2118217008.0000000002307000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/WebPage
        Source: 098765.exe, 00000004.00000002.2123869777.0000000005A00000.00000002.00000001.sdmp, RegAsm.exe, 00000005.00000002.2356838381.0000000002220000.00000002.00000001.sdmp, taskeng.exe, 00000008.00000002.2356343115.0000000001C20000.00000002.00000001.sdmp, RegAsm.exe, 00000009.00000002.2127779177.0000000002370000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
        Source: 098765.exe, 00000004.00000002.2118199877.00000000022E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: 098765.exe, 00000004.00000002.2123869777.0000000005A00000.00000002.00000001.sdmp, RegAsm.exe, 00000005.00000002.2356838381.0000000002220000.00000002.00000001.sdmp, taskeng.exe, 00000008.00000002.2356343115.0000000001C20000.00000002.00000001.sdmp, RegAsm.exe, 00000009.00000002.2127779177.0000000002370000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
        Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
        Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
        Source: 2TE7JJq[1].htm.2.drString found in binary or memory: https://offlineclubz.com/PC.txt
        Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
        Source: 098765.exe, 00000004.00000002.2118199877.00000000022E1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
        Source: 098765.exe, 00000004.00000002.2118199877.00000000022E1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
        Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
        Source: unknownHTTPS traffic detected: 67.199.248.10:443 -> 192.168.2.22:49167 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 82.221.105.125:443 -> 192.168.2.22:49168 version: TLS 1.2
        Source: RegAsm.exe, 00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.2356733340.0000000000920000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.2121391724.0000000003329000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.2356337406.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.2357249695.00000000028F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.2121733076.00000000034D6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.2121559975.00000000033D8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 098765.exe PID: 2428, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2896, type: MEMORY
        Source: Yara matchFile source: 4.2.098765.exe.35098d0.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.35098d0.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.39401dc.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.340b8e2.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.924629.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.343e5c2.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.39401dc.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.343e5c2.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.34d6c12.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.3471292.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.340b8e2.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.3471292.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.920000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.3944805.13.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.920000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.34d6c12.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.393b3a6.14.raw.unpack, type: UNPACKEDPE
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15AJump to dropped file

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.2356733340.0000000000920000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.2121391724.0000000003329000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.2121391724.0000000003329000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.2356337406.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000002.2356337406.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.2356610128.0000000000760000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.2121733076.00000000034D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.2121733076.00000000034D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000002.2121559975.00000000033D8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.2121559975.00000000033D8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: 098765.exe PID: 2428, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: 098765.exe PID: 2428, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RegAsm.exe PID: 2896, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: RegAsm.exe PID: 2896, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.098765.exe.35098d0.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.098765.exe.35098d0.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.098765.exe.35098d0.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.098765.exe.35098d0.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.RegAsm.exe.39401dc.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.098765.exe.340b8e2.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.098765.exe.340b8e2.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.RegAsm.exe.924629.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.098765.exe.343e5c2.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.098765.exe.343e5c2.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.RegAsm.exe.39401dc.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.098765.exe.343e5c2.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.098765.exe.343e5c2.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.098765.exe.34d6c12.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.098765.exe.34d6c12.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.098765.exe.3471292.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.098765.exe.3471292.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.098765.exe.340b8e2.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.098765.exe.340b8e2.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.098765.exe.3471292.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.098765.exe.3471292.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.RegAsm.exe.920000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.RegAsm.exe.3944805.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.RegAsm.exe.920000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.098765.exe.34d6c12.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.098765.exe.34d6c12.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.RegAsm.exe.760000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.RegAsm.exe.393b3a6.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.RegAsm.exe.393b3a6.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.RegAsm.exe.290e00c.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        .NET source code contains very large array initializationsShow sources
        Source: 098765.exe.2.dr, Qb7p/Kg37.csLarge array initialization: .cctor: array initializer size 2653
        Source: 098765.exe.2.dr, e1L/Bs2.csLarge array initialization: .cctor: array initializer size 2943
        Source: 4.0.098765.exe.e30000.0.unpack, Qb7p/Kg37.csLarge array initialization: .cctor: array initializer size 2653
        Source: 4.0.098765.exe.e30000.0.unpack, e1L/Bs2.csLarge array initialization: .cctor: array initializer size 2943
        Source: 4.2.098765.exe.e30000.3.unpack, e1L/Bs2.csLarge array initialization: .cctor: array initializer size 2943
        Source: 4.2.098765.exe.e30000.3.unpack, Qb7p/Kg37.csLarge array initialization: .cctor: array initializer size 2653
        Office equation editor drops PE fileShow sources
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\098765.exeJump to dropped file
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\PC[1].txtJump to dropped file
        Source: C:\Users\Public\098765.exeMemory allocated: 76E20000 page execute and read and write
        Source: C:\Users\Public\098765.exeMemory allocated: 76D20000 page execute and read and write
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeMemory allocated: 76E20000 page execute and read and write
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeMemory allocated: 76D20000 page execute and read and write
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeMemory allocated: 76E20000 page execute and read and write
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeMemory allocated: 76D20000 page execute and read and write
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A72D80 CreateProcessAsUserW,
        Source: C:\Users\Public\098765.exeCode function: 4_2_002D8320
        Source: C:\Users\Public\098765.exeCode function: 4_2_002D6A58
        Source: C:\Users\Public\098765.exeCode function: 4_2_002D3E91
        Source: C:\Users\Public\098765.exeCode function: 4_2_002D2FD8
        Source: C:\Users\Public\098765.exeCode function: 4_2_002DA239
        Source: C:\Users\Public\098765.exeCode function: 4_2_002DA240
        Source: C:\Users\Public\098765.exeCode function: 4_2_002D2550
        Source: C:\Users\Public\098765.exeCode function: 4_2_002DF680
        Source: C:\Users\Public\098765.exeCode function: 4_2_002D6A49
        Source: C:\Users\Public\098765.exeCode function: 4_2_002D8BC1
        Source: C:\Users\Public\098765.exeCode function: 4_2_002D8BD0
        Source: C:\Users\Public\098765.exeCode function: 4_2_002D3F81
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A72490
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A790E8
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A73C59
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A7B988
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A73161
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A77171
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A76A40
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A74F80
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A78860
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A78870
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A7A840
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A709B8
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A709C8
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A79B80
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A783E8
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A783F8
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_001F3DFE
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_005FB198
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_005F43A0
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_005FDD38
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_005FBDB0
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_005F3788
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_005F4458
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_005FBE6E
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 9_2_001F3DFE
        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\RegAsm.exe 5FF87E563B2DF09E94E17C82741D9A43AED2F214643DC067232916FAE4B35417
        Source: 00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.2356733340.0000000000920000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.2356733340.0000000000920000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000004.00000002.2121391724.0000000003329000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.2121391724.0000000003329000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.2356337406.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.2356337406.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.2356610128.0000000000760000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.2356610128.0000000000760000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000004.00000002.2121733076.00000000034D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.2121733076.00000000034D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000002.2121559975.00000000033D8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.2121559975.00000000033D8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: 098765.exe PID: 2428, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: 098765.exe PID: 2428, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: RegAsm.exe PID: 2896, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: RegAsm.exe PID: 2896, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.098765.exe.35098d0.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.098765.exe.35098d0.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.098765.exe.35098d0.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.098765.exe.35098d0.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.098765.exe.35098d0.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.098765.exe.35098d0.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.RegAsm.exe.39401dc.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegAsm.exe.39401dc.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.098765.exe.340b8e2.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.098765.exe.340b8e2.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.098765.exe.340b8e2.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.RegAsm.exe.924629.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegAsm.exe.924629.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.098765.exe.343e5c2.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.098765.exe.343e5c2.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.098765.exe.343e5c2.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.RegAsm.exe.39401dc.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegAsm.exe.39401dc.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.098765.exe.343e5c2.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.098765.exe.343e5c2.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.098765.exe.343e5c2.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.098765.exe.34d6c12.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.098765.exe.34d6c12.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.098765.exe.34d6c12.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.098765.exe.3471292.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.098765.exe.3471292.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.098765.exe.3471292.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.098765.exe.340b8e2.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.098765.exe.340b8e2.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.098765.exe.3471292.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.098765.exe.3471292.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.098765.exe.3471292.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.RegAsm.exe.920000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegAsm.exe.920000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.RegAsm.exe.3944805.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegAsm.exe.3944805.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.RegAsm.exe.920000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegAsm.exe.920000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.098765.exe.34d6c12.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.098765.exe.34d6c12.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.098765.exe.34d6c12.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.RegAsm.exe.760000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegAsm.exe.760000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.RegAsm.exe.393b3a6.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegAsm.exe.393b3a6.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.RegAsm.exe.393b3a6.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.RegAsm.exe.290e00c.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegAsm.exe.290e00c.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.RegAsm.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 5.2.RegAsm.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 5.2.RegAsm.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@11/22@9/3
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$dated Order COA.docJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{18773cd6-e296-4327-b004-0088e2e894f7}
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC013.tmpJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ........................................(.P.....`.......<.......$...............................................................................
        Source: C:\Users\Public\098765.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\Public\098765.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\Public\098765.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: Updated Order COA.docReversingLabs: Detection: 17%
        Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
        Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\098765.exe C:\Users\Public\098765.exe
        Source: C:\Users\Public\098765.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7790.tmp'
        Source: unknownProcess created: C:\Windows\System32\taskeng.exe taskeng.exe {6204476F-CB6D-41BF-A018-07A92169AAA2} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
        Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe 0
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\098765.exe C:\Users\Public\098765.exe
        Source: C:\Users\Public\098765.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7790.tmp'
        Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe 0
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\Public\098765.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
        Source: Updated Order COA.docStatic file information: File size 2676268 > 1048576
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
        Source: Binary string: RegAsm.pdb source: RegAsm.exe, RegAsm.exe.4.dr

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 5.2.RegAsm.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.2.RegAsm.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\Public\098765.exeCode function: 4_2_00E343EE push ebx; retf
        Source: C:\Users\Public\098765.exeCode function: 4_2_00E32FA7 push ds; retf
        Source: C:\Users\Public\098765.exeCode function: 4_2_00E34CB9 pushad ; retf
        Source: C:\Users\Public\098765.exeCode function: 4_2_00E330BD push ds; retf
        Source: C:\Users\Public\098765.exeCode function: 4_2_00E3433D push ebx; retf
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A71ED0 push esp; retf
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_001F523F push cs; iretd
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_02071B10 push 00000000h; retn 0004h
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_02070172 push 00000000h; ret
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 9_2_001F523F push cs; iretd
        Source: 098765.exe.2.dr, Wk7s/Xb3o.csHigh entropy of concatenated method names: '.ctor', 'Pm5i', 'b3FQ', 'q6Z1', 'f8DT', 's6BP', 'La0j', 'Dz12', 'Zt59', 'e2L8'
        Source: 4.0.098765.exe.e30000.0.unpack, Wk7s/Xb3o.csHigh entropy of concatenated method names: '.ctor', 'Pm5i', 'b3FQ', 'q6Z1', 'f8DT', 's6BP', 'La0j', 'Dz12', 'Zt59', 'e2L8'
        Source: 4.2.098765.exe.e30000.3.unpack, Wk7s/Xb3o.csHigh entropy of concatenated method names: '.ctor', 'Pm5i', 'b3FQ', 'q6Z1', 'f8DT', 's6BP', 'La0j', 'Dz12', 'Zt59', 'e2L8'
        Source: 5.2.RegAsm.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 5.2.RegAsm.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\Public\098765.exeFile created: C:\Users\user\AppData\Local\Temp\RegAsm.exeJump to dropped file
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\098765.exeJump to dropped file
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\PC[1].txtJump to dropped file
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\098765.exeJump to dropped file
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\PC[1].txtJump to dropped file

        Boot Survival:

        barindex
        Drops PE files to the user root directoryShow sources
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\098765.exeJump to dropped file
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7790.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\Public\098765.exeFile opened: C:\Users\Public\098765.exe\:Zone.Identifier read attributes | delete
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Temp\RegAsm.exe:Zone.Identifier read attributes | delete
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\098765.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\Public\098765.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\Public\098765.exeWindow / User API: threadDelayed 588
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWindow / User API: threadDelayed 8756
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWindow / User API: threadDelayed 949
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWindow / User API: foregroundWindowGot 445
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2488Thread sleep time: -180000s >= -30000s
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2488Thread sleep time: -60000s >= -30000s
        Source: C:\Users\Public\098765.exe TID: 2420Thread sleep time: -60000s >= -30000s
        Source: C:\Users\Public\098765.exe TID: 2976Thread sleep time: -4611686018427385s >= -30000s
        Source: C:\Users\Public\098765.exe TID: 2904Thread sleep count: 588 > 30
        Source: C:\Users\Public\098765.exe TID: 2696Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 2348Thread sleep time: -60000s >= -30000s
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 2556Thread sleep time: -7378697629483816s >= -30000s
        Source: C:\Windows\System32\taskeng.exe TID: 2608Thread sleep time: -60000s >= -30000s
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 2988Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\Public\098765.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\Public\098765.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\Public\098765.exeProcess information queried: ProcessInformation
        Source: C:\Users\Public\098765.exeProcess token adjusted: Debug
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess token adjusted: Debug
        Source: C:\Users\Public\098765.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Allocates memory in foreign processesShow sources
        Source: C:\Users\Public\098765.exeMemory allocated: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 protect: page execute and read and write
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\Public\098765.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 value starts with: 4D5A
        Writes to foreign memory regionsShow sources
        Source: C:\Users\Public\098765.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000
        Source: C:\Users\Public\098765.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 402000
        Source: C:\Users\Public\098765.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 420000
        Source: C:\Users\Public\098765.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 422000
        Source: C:\Users\Public\098765.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 7EFDE008
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\098765.exe C:\Users\Public\098765.exe
        Source: C:\Users\Public\098765.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7790.tmp'
        Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe 0
        Source: RegAsm.exe, 00000005.00000002.2357310721.0000000002942000.00000004.00000001.sdmpBinary or memory string: Program Manager48
        Source: RegAsm.exe, 00000005.00000002.2357310721.0000000002942000.00000004.00000001.sdmp, taskeng.exe, 00000008.00000002.2356298735.0000000000820000.00000002.00000001.sdmpBinary or memory string: Program Manager
        Source: RegAsm.exe, 00000005.00000002.2356755341.0000000000C60000.00000002.00000001.sdmp, taskeng.exe, 00000008.00000002.2356298735.0000000000820000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: RegAsm.exe, 00000005.00000002.2356755341.0000000000C60000.00000002.00000001.sdmp, taskeng.exe, 00000008.00000002.2356298735.0000000000820000.00000002.00000001.sdmpBinary or memory string: !Progman
        Source: RegAsm.exe, 00000005.00000002.2359036005.0000000002B68000.00000004.00000001.sdmpBinary or memory string: Program Managerx
        Source: RegAsm.exe, 00000005.00000002.2357310721.0000000002942000.00000004.00000001.sdmpBinary or memory string: Program Manager@
        Source: C:\Users\Public\098765.exeQueries volume information: C:\Users\Public\098765.exe VolumeInformation
        Source: C:\Users\Public\098765.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegAsm.exe VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegAsm.exe VolumeInformation
        Source: C:\Users\Public\098765.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
        Source: C:\Users\Public\098765.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 BlobJump to behavior

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.2356733340.0000000000920000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.2121391724.0000000003329000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.2356337406.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.2357249695.00000000028F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.2121733076.00000000034D6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.2121559975.00000000033D8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 098765.exe PID: 2428, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2896, type: MEMORY
        Source: Yara matchFile source: 4.2.098765.exe.35098d0.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.35098d0.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.39401dc.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.340b8e2.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.924629.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.343e5c2.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.39401dc.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.343e5c2.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.34d6c12.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.3471292.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.340b8e2.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.3471292.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.920000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.3944805.13.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.920000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.34d6c12.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.393b3a6.14.raw.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: 098765.exe, 00000004.00000002.2121559975.00000000033D8000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegAsm.exe, 00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegAsm.exe, 00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.2356733340.0000000000920000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.2121391724.0000000003329000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.2356337406.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.2357249695.00000000028F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.2121733076.00000000034D6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.2121559975.00000000033D8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 098765.exe PID: 2428, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2896, type: MEMORY
        Source: Yara matchFile source: 4.2.098765.exe.35098d0.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.35098d0.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.39401dc.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.340b8e2.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.924629.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.343e5c2.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.39401dc.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.343e5c2.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.34d6c12.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.3471292.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.340b8e2.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.3471292.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.920000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.3944805.13.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.920000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.34d6c12.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.393b3a6.14.raw.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Spearphishing Link1Exploitation for Client Execution13Valid Accounts1Valid Accounts1Disable or Modify Tools11Input Capture11File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Valid Accounts1Command and Scripting Interpreter1Scheduled Task/Job1Access Token Manipulation1Deobfuscate/Decode Files or Information1LSASS MemorySystem Information Discovery13Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsScheduled Task/Job1Logon Script (Windows)Process Injection312Obfuscated Files or Information2Security Account ManagerSecurity Software Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Scheduled Task/Job1Software Packing11NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading121LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonValid Accounts1Cached Domain CredentialsVirtualization/Sandbox Evasion21VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol22Jamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion21Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection312/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 435312 Sample: Updated Order COA.doc Startdate: 16/06/2021 Architecture: WINDOWS Score: 100 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for dropped file 2->50 52 16 other signatures 2->52 8 EQNEDT32.EXE 17 2->8         started        13 taskeng.exe 1 2->13         started        15 WINWORD.EXE 291 24 2->15         started        process3 dnsIp4 42 offlineclubz.com 82.221.105.125, 443, 49168 THORDC-ASIS Iceland 8->42 44 bit.ly 67.199.248.10, 443, 49167 GOOGLE-PRIVATE-CLOUDUS United States 8->44 36 C:\Users\user\AppData\Local\...\PC[1].txt, PE32 8->36 dropped 38 C:\Users\Public\098765.exe, PE32 8->38 dropped 66 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 8->66 17 098765.exe 12 3 8->17         started        21 RegAsm.exe 13->21         started        file5 signatures6 process7 file8 30 C:\Users\user\AppData\Local\Temp\RegAsm.exe, PE32 17->30 dropped 54 Multi AV Scanner detection for dropped file 17->54 56 Machine Learning detection for dropped file 17->56 58 Writes to foreign memory regions 17->58 60 3 other signatures 17->60 23 RegAsm.exe 6 17->23         started        signatures9 process10 dnsIp11 40 wealthybillionaire.ddns.net 185.140.53.154, 5540 DAVID_CRAIGGG Sweden 23->40 32 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 23->32 dropped 34 C:\Users\user\AppData\Local\...\tmp7790.tmp, XML 23->34 dropped 62 Uses schtasks.exe or at.exe to add and modify task schedules 23->62 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->64 28 schtasks.exe 23->28         started        file12 signatures13 process14

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        Updated Order COA.doc17%ReversingLabsDocument-Office.Exploit.CVE-2018-0802

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\PC[1].txt100%Joe Sandbox ML
        C:\Users\Public\098765.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\PC[1].txt22%ReversingLabsByteCode-MSIL.Trojan.NanoBot
        C:\Users\user\AppData\Local\Temp\RegAsm.exe0%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\RegAsm.exe0%ReversingLabs
        C:\Users\Public\098765.exe22%ReversingLabsByteCode-MSIL.Trojan.NanoBot

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        5.2.RegAsm.exe.920000.6.unpack100%AviraTR/NanoCore.fadteDownload File
        5.2.RegAsm.exe.400000.1.unpack100%AviraTR/Dropper.GenDownload File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://ns.adobe.c/s0%Avira URL Cloudsafe
        http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
        http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
        http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
        http://ns.ao0%Avira URL Cloudsafe
        http://ocsp.entrust.net030%URL Reputationsafe
        http://ocsp.entrust.net030%URL Reputationsafe
        http://ocsp.entrust.net030%URL Reputationsafe
        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
        http://go.microsoft.0%URL Reputationsafe
        http://go.microsoft.0%URL Reputationsafe
        http://go.microsoft.0%URL Reputationsafe
        http://www.%s.comPA0%URL Reputationsafe
        http://www.%s.comPA0%URL Reputationsafe
        http://www.%s.comPA0%URL Reputationsafe
        http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
        http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
        http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
        http://n.f0%Avira URL Cloudsafe
        http://ocsp.entrust.net0D0%URL Reputationsafe
        http://ocsp.entrust.net0D0%URL Reputationsafe
        http://ocsp.entrust.net0D0%URL Reputationsafe
        185.140.53.1540%Avira URL Cloudsafe
        wealthybillionaire.ddns.net0%Avira URL Cloudsafe
        https://offlineclubz.com/PC.txt0%Avira URL Cloudsafe
        http://ns.adobede0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        bit.ly
        		67.199.248.10
        		truefalse
          		high
          offlineclubz.com
          		82.221.105.125
          		truefalse
            		unknown
            wealthybillionaire.ddns.net
            		185.140.53.154
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              185.140.53.154true
              • Avira URL Cloud: safe
              		unknown
              wealthybillionaire.ddns.nettrue
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://ns.adobe.c/s098765.exe, 00000004.00000003.2105300256.0000000004B43000.00000004.00000001.sdmp, 098765.exe, 00000004.00000003.2117350374.0000000004B43000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://crl.pkioverheid.nl/DomOvLatestCRL.crl0098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.098765.exe, 00000004.00000002.2123869777.0000000005A00000.00000002.00000001.sdmp, RegAsm.exe, 00000005.00000002.2356838381.0000000002220000.00000002.00000001.sdmp, taskeng.exe, 00000008.00000002.2356343115.0000000001C20000.00000002.00000001.sdmp, RegAsm.exe, 00000009.00000002.2127779177.0000000002370000.00000002.00000001.sdmpfalse
                		high
                http://ns.ao098765.exe, 00000004.00000003.2105300256.0000000004B43000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://crl.entrust.net/server1.crl0098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpfalse
                  		high
                  http://ocsp.entrust.net03098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://go.microsoft.RegAsm.exefalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.%s.comPA098765.exe, 00000004.00000002.2123869777.0000000005A00000.00000002.00000001.sdmp, RegAsm.exe, 00000005.00000002.2356838381.0000000002220000.00000002.00000001.sdmp, taskeng.exe, 00000008.00000002.2356343115.0000000001C20000.00000002.00000001.sdmp, RegAsm.exe, 00000009.00000002.2127779177.0000000002370000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		low
                  http://www.diginotar.nl/cps/pkioverheid0098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://n.f098765.exe, 00000004.00000003.2105300256.0000000004B43000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://ocsp.entrust.net0D098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name098765.exe, 00000004.00000002.2118199877.00000000022E1000.00000004.00000001.sdmpfalse
                    		high
                    https://secure.comodo.com/CPS0098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpfalse
                      		high
                      http://crl.entrust.net/2048ca.crl0098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpfalse
                        		high
                        http://schema.org/WebPage098765.exe, 00000004.00000002.2118233396.0000000002320000.00000004.00000001.sdmp, 098765.exe, 00000004.00000002.2118217008.0000000002307000.00000004.00000001.sdmpfalse
                          		high
                          https://offlineclubz.com/PC.txt2TE7JJq[1].htm.2.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://ns.adobede098765.exe, 00000004.00000003.2105300256.0000000004B43000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public

                          IPDomainCountryFlagASNASN NameMalicious
                          82.221.105.125
                          		offlineclubz.comIceland
                          		50613THORDC-ASISfalse
                          185.140.53.154
                          		wealthybillionaire.ddns.netSweden
                          		209623DAVID_CRAIGGGtrue
                          67.199.248.10
                          		bit.lyUnited States
                          		396982GOOGLE-PRIVATE-CLOUDUSfalse

                          General Information

                          Joe Sandbox Version:32.0.0 Black Diamond
                          Analysis ID:435312
                          Start date:16.06.2021
                          Start time:12:00:52
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 9m 38s
                          Hypervisor based Inspection enabled:false
                          Report type:light
                          Sample file name:Updated Order COA.doc
                          Cookbook file name:defaultwindowsofficecookbook.jbs
                          Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                          Number of analysed new started processes analysed:11
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.troj.expl.evad.winDOC@11/22@9/3
                          EGA Information:Failed
                          HDC Information:
                          • Successful, ratio: 5.5% (good quality ratio 2.6%)
                          • Quality average: 24.4%
                          • Quality standard deviation: 30.5%
                          HCA Information:
                          • Successful, ratio: 98%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Found application associated with file extension: .doc
                          • Found Word or Excel or PowerPoint or XPS Viewer
                          • Attach to Office via COM
                          • Scroll down
                          • Close Viewer
                          Warnings:
                          Show All
                          • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                          • TCP Packets have been reduced to 100
                          • Excluded IPs from analysis (whitelisted): 192.35.177.64, 8.238.28.126, 8.241.80.126, 8.241.83.126, 8.238.85.254, 8.241.89.254, 142.250.185.68, 131.253.33.200, 13.107.22.200
                          • Excluded domains from analysis (whitelisted): www.bing.com, dual-a-0001.dc-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, audownload.windowsupdate.nsatc.net, www-bing-com.dual-a-0001.a-msedge.net, apps.digsigtrust.com, ctldl.windowsupdate.com, www.google.com, auto.au.download.windowsupdate.com.c.footprint.net, apps.identrust.com, au-bg-shim.trafficmanager.net
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtSetInformationFile calls found.
                          • VT rate limit hit for: /opt/package/joesandbox/database/analysis/435312/sample/Updated Order COA.doc

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          12:01:36API Interceptor63x Sleep call for process: EQNEDT32.EXE modified
                          12:01:40API Interceptor133x Sleep call for process: 098765.exe modified
                          12:01:55API Interceptor1419x Sleep call for process: RegAsm.exe modified
                          12:01:57API Interceptor2x Sleep call for process: schtasks.exe modified
                          12:01:58Task SchedulerRun new task: SMTP Service path: "C:\Users\user\AppData\Local\Temp\RegAsm.exe" s>$(Arg0)
                          12:01:58API Interceptor357x Sleep call for process: taskeng.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          82.221.105.125gbqFfT54L.rtfGet hashmaliciousBrowse
                          • mysit.space/123//v/bGo2799
                          65001078.DOCGet hashmaliciousBrowse
                          • uploadtops.is/1//q/grFRBQT
                          Product list - Quotation sheet.docGet hashmaliciousBrowse
                          • uploadtops.is/1//q/8oEITJq
                          17Revenue_doc_id4837726.exeGet hashmaliciousBrowse
                          • uploadtops.is/1//q/lJqqLvC
                          Payment slip.docGet hashmaliciousBrowse
                          • uploadtops.is/1//f/NuRHVL9
                          71355881.docGet hashmaliciousBrowse
                          • uploadtops.is/1//f/z132Bct
                          ORDER_20180620.DOCGet hashmaliciousBrowse
                          • uploadtops.is/1//f/rihUTZ7
                          Product_details.docGet hashmaliciousBrowse
                          • uploadtops.is/1//f/uwkjs1U
                          RE RE Minimum Order Quantity 34562$$.docGet hashmaliciousBrowse
                          • uploadtops.is/1//f/RkEXBrB
                          Provision Requisition Quotation 04.05.2018.docGet hashmaliciousBrowse
                          • uploadtops.is/1//f/PecgndH
                          2 Remittance Advice.docGet hashmaliciousBrowse
                          • uploadtops.is/1//f/St7GsQ3
                          L6GuxhH6S.rtfGet hashmaliciousBrowse
                          • uploadtops.is/1//f/St7GsQ3
                          185.140.53.154Maersk BL & PL.exeGet hashmaliciousBrowse
                            Quotation.exeGet hashmaliciousBrowse
                              SWIFT.exeGet hashmaliciousBrowse
                                Qotation.exeGet hashmaliciousBrowse
                                  SMJshb9rCD.exeGet hashmaliciousBrowse
                                    3z4ibRIdCl.exeGet hashmaliciousBrowse
                                      UfQ7WpbVPG.exeGet hashmaliciousBrowse
                                        9ieQE1S5ZH.exeGet hashmaliciousBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          bit.ly#Ud83d#Udcde_#U25b6#Ufe0f.htmGet hashmaliciousBrowse
                                          • 67.199.248.10
                                          P.I-84514.docGet hashmaliciousBrowse
                                          • 67.199.248.11
                                          P.I-84512.docGet hashmaliciousBrowse
                                          • 67.199.248.11
                                          #Ud83d#Udcde_#U25b6#Ufe0fPlay_to_Listen.htmGet hashmaliciousBrowse
                                          • 67.199.248.10
                                          #Ud83d#Udcde_Message_Received_05_19_21.htm.htmGet hashmaliciousBrowse
                                          • 67.199.248.10
                                          #Ud83d#Udcde_#U25b6#Ufe0fPlay_to_Listen.htm.htmGet hashmaliciousBrowse
                                          • 67.199.248.10
                                          #Ud83d#Udcde_#U25b6#Ufe0f.htmGet hashmaliciousBrowse
                                          • 67.199.248.10
                                          #U266b Audio_47920.wavv - - Copy.htmlGet hashmaliciousBrowse
                                          • 67.199.248.11
                                          #Ud83d#Udcde_#U25b6#Ufe0fPlay_to_Listen htm.htmGet hashmaliciousBrowse
                                          • 67.199.248.11
                                          kSfW7fFDWa.rtfGet hashmaliciousBrowse
                                          • 67.199.248.10
                                          2020tb3005.doc__.rtfGet hashmaliciousBrowse
                                          • 67.199.248.11
                                          -Recibo de pago.docGet hashmaliciousBrowse
                                          • 67.199.248.11
                                          Lingarogroup_Scan_item.htmGet hashmaliciousBrowse
                                          • 67.199.248.11
                                          itOr6lv1UH.exeGet hashmaliciousBrowse
                                          • 67.199.248.11
                                          Qgc2Nreer3.exeGet hashmaliciousBrowse
                                          • 67.199.248.11
                                          purchase inquiry 25.5.2021.doc__.rtfGet hashmaliciousBrowse
                                          • 67.199.248.10
                                          purchase order.docGet hashmaliciousBrowse
                                          • 67.199.248.11
                                          #Ud83d#Udcde(801) 451.htmGet hashmaliciousBrowse
                                          • 67.199.248.10
                                          Revise Order Sheets.docGet hashmaliciousBrowse
                                          • 67.199.248.11
                                          Payoff - 2021AT0514.docGet hashmaliciousBrowse
                                          • 67.199.248.10
                                          wealthybillionaire.ddns.netRevise Order Sheets.docGet hashmaliciousBrowse
                                          • 79.134.225.52
                                          TT SWIFT COPY.exeGet hashmaliciousBrowse
                                          • 41.217.65.85
                                          bedrapes.exeGet hashmaliciousBrowse
                                          • 154.118.68.3

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          DAVID_CRAIGGGPayment confirmation.exeGet hashmaliciousBrowse
                                          • 185.140.53.45
                                          03soKqWLfN.exeGet hashmaliciousBrowse
                                          • 185.140.53.145
                                          installer.exeGet hashmaliciousBrowse
                                          • 185.140.53.145
                                          Maersk BL & PL.exeGet hashmaliciousBrowse
                                          • 185.140.53.154
                                          vmw7WdkJ6k.exeGet hashmaliciousBrowse
                                          • 185.140.53.12
                                          ORDER.exeGet hashmaliciousBrowse
                                          • 185.140.53.135
                                          ORDER-21611docx.exeGet hashmaliciousBrowse
                                          • 185.165.153.116
                                          6VYNUalwUt.exeGet hashmaliciousBrowse
                                          • 185.244.30.92
                                          ORDER-6010.pdf.exeGet hashmaliciousBrowse
                                          • 185.244.30.92
                                          CONTRACT.exeGet hashmaliciousBrowse
                                          • 185.140.53.135
                                          doc03027320210521173305IMG0012.exeGet hashmaliciousBrowse
                                          • 185.140.53.230
                                          yfilQwrYpA.exeGet hashmaliciousBrowse
                                          • 185.140.53.216
                                          Ff6m4N8pog.exeGet hashmaliciousBrowse
                                          • 185.140.53.216
                                          yCdBrRiAN2.exeGet hashmaliciousBrowse
                                          • 185.140.53.216
                                          loKHQzx6Lf.exeGet hashmaliciousBrowse
                                          • 185.140.53.216
                                          SecuriteInfo.com.Program.Win32.Wacapew.Cml.7225.exeGet hashmaliciousBrowse
                                          • 185.140.53.129
                                          Shipping Documents_Bill of Lading 910571880.exeGet hashmaliciousBrowse
                                          • 185.140.53.129
                                          knqh5Hw6gu.exeGet hashmaliciousBrowse
                                          • 185.140.53.13
                                          Container_Deposit_slip_pdf.jarGet hashmaliciousBrowse
                                          • 185.244.30.47
                                          Cargo Charter Request details.vbsGet hashmaliciousBrowse
                                          • 185.244.30.184
                                          THORDC-ASISiGet hashmaliciousBrowse
                                          • 82.221.103.244
                                          Factura_202768456912.htmlGet hashmaliciousBrowse
                                          • 82.221.141.10
                                          sMjtvTsYf5.exeGet hashmaliciousBrowse
                                          • 192.253.250.161
                                          yVn2ywuhEC.exeGet hashmaliciousBrowse
                                          • 82.221.103.244
                                          FickerStealer.exeGet hashmaliciousBrowse
                                          • 82.221.131.102
                                          isb777amx.exeGet hashmaliciousBrowse
                                          • 82.221.131.5
                                          uTorrent.exeGet hashmaliciousBrowse
                                          • 82.221.103.245
                                          9ISF FILLING 10+.exeGet hashmaliciousBrowse
                                          • 82.221.136.4
                                          67Final Draft ISF 10+2 Fillin.exeGet hashmaliciousBrowse
                                          • 82.221.113.145
                                          47Abusive Email Letter.exeGet hashmaliciousBrowse
                                          • 82.221.129.19
                                          14INV NO.35839 - 2018.docGet hashmaliciousBrowse
                                          • 82.221.129.19
                                          7REQUEST FOR QUOTE LIST-pdf.exeGet hashmaliciousBrowse
                                          • 82.221.129.19
                                          19Document-pdf.exeGet hashmaliciousBrowse
                                          • 82.221.129.19
                                          11112837654201809.docGet hashmaliciousBrowse
                                          • 82.221.129.19
                                          35doc43288920180918.docGet hashmaliciousBrowse
                                          • 82.221.129.19
                                          23NF-DOC865443.docGet hashmaliciousBrowse
                                          • 82.221.129.19
                                          63Document-2.exeGet hashmaliciousBrowse
                                          • 82.221.129.19
                                          18PO45433.docGet hashmaliciousBrowse
                                          • 82.221.129.19
                                          17po029222.exeGet hashmaliciousBrowse
                                          • 82.221.129.19
                                          30Abusive Email Letter.exeGet hashmaliciousBrowse
                                          • 82.221.129.19

                                          JA3 Fingerprints

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          7dcce5b76c8b17472d024758970a406btender-156639535.xlsmGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          Agenda1.docxGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          tender-2038988342.xlsmGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          Citibank Payment Advice.xlsxGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          sentence-1711450431.xlsmGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          RFQ Products.xlsxGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          Tax Document.docxGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          hG6FzLXtsf.xlsGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          P0fhg2Duqa.xlsGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          GENERAL DYNAMICS_WlRE_REMITTANCE.xlsxGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          GENERAL DYNAMICS_WlRE_REMITTANCE_virus_scan.xlsxGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          SecuriteInfo.com.Exploit.Rtf.Obfuscated.16.13632.rtfGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          RFQ SI-01.08.062021.docGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          REQ-54265-CSE-445.docGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          RFQ-Excel-NPF0140621.docGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          RFQ#176220621.docGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          Purchase Order.docGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          Purchase Order.docGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          New Order PO2193570O1.docGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          document-47-2637.xlsGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10

                                          Dropped Files

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          C:\Users\user\AppData\Local\Temp\RegAsm.exeRef 0180066743.xlsxGet hashmaliciousBrowse
                                            Purchase Order Price List.xlsxGet hashmaliciousBrowse
                                              Quote QU038097.docGet hashmaliciousBrowse
                                                6Cprm97UTl.xlsGet hashmaliciousBrowse
                                                  Payment_Confirmation_Slip.xlsxGet hashmaliciousBrowse
                                                    Overdue Invoice.xlsxGet hashmaliciousBrowse
                                                      Quotation.xlsxGet hashmaliciousBrowse
                                                        ENCLOSE ORDER LIST.xlsxGet hashmaliciousBrowse
                                                          PO INV 195167 & 195324.xlsxGet hashmaliciousBrowse
                                                            Bank letter.xlsxGet hashmaliciousBrowse
                                                              Quotation.xlsxGet hashmaliciousBrowse
                                                                PO 19030004.xlsxGet hashmaliciousBrowse
                                                                  New PO PO20.xlsxGet hashmaliciousBrowse
                                                                    ORDER LIST.xlsxGet hashmaliciousBrowse
                                                                      RFQ 00112.xlsxGet hashmaliciousBrowse
                                                                        inquiry.xlsxGet hashmaliciousBrowse

                                                                          Created / dropped Files

                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          File Type:Microsoft Cabinet archive data, 60080 bytes, 1 file
                                                                          Category:dropped
                                                                          Size (bytes):60080
                                                                          Entropy (8bit):7.995256720209506
                                                                          Encrypted:true
                                                                          SSDEEP:768:O78wIEbt8Rc7GHyP7zpxeiB9jTs6cX8ENclXVbFYYDceSKZyhRhbzfgtEnz9BPNZ:A8Rc7GHyhUHsVNPOlhbz2E5BPNiUu+g4
                                                                          MD5:6045BACCF49E1EBA0E674945311A06E6
                                                                          SHA1:379C6234849EECEDE26FAD192C2EE59E0F0221CB
                                                                          SHA-256:65830A65CB913BEE83258E4AC3E140FAF131E7EB084D39F7020C7ACC825B0A58
                                                                          SHA-512:DA32AF6A730884E73956E4EB6BFF61A1326B3EF8BA0A213B5B4AAD6DE4FBD471B3550B6AC2110F1D0B2091E33C70D44E498F897376F8E1998B1D2AFAC789ABEB
                                                                          Malicious:false
                                                                          Reputation:moderate, very likely benign file
                                                                          Preview: MSCF............,...................I........d.........R9b .authroot.stl.3..).4..CK..8T....c_.d....A.K...].M$[v.4.)7-.%.QIR..$t)Kd.-[..T\{..ne.....{..<.......Ab.<..X....sb.....e........dbu.3...0........X..00&Z....C...p0.}..2..0m.}..Cj.9U..J.j.Y...#.L..\X..O.,...,.qu..]..(B.nE~Q...)..Gcx.....}...f....zw.a..9+[.<0.'..2 .s..ya..J......wd....OO!.s....`.WA...F6._f....6...g..2..7.$,....X.k..&...E...g.....>uv."..!......xc......C..?....P0$.Y..?u....Z0.g3.>W0&.y.(....].`>... ..R.q..wg*X......qB!.B....Z.4..>.R.M..0.8...=.8..Ya.s.......add..)..w.4.&.z...2.&74.5]..w.j.._iK..||[.w.M.!<-.}%.C<tDX5\s._..I..*..nb.....GCQ.V..r..Y.............q...0..V)Tu>.Z..r...I...<.R{Ac..x^. .<A........|.{.....Q...&....X..C$....e9.:..vI..x.R4...L......%g...<..}'{....E8Sl...E".h...*.........ItVs.K......3.9.l..`D..e.i`....y...,..5....aSs`..W...d...t.J..]....'u3..d]7..=e....[R!:........Q.%..@........ga.v.~..q....{.!N.b]x..Zx.../;#}.f.)k.c9..{rmPt..z5.m=..q..%.D#<+Ex....1|.._F.
                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):893
                                                                          Entropy (8bit):7.366016576663508
                                                                          Encrypted:false
                                                                          SSDEEP:24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
                                                                          MD5:D4AE187B4574036C2D76B6DF8A8C1A30
                                                                          SHA1:B06F409FA14BAB33CBAF4A37811B8740B624D9E5
                                                                          SHA-256:A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
                                                                          SHA-512:1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
                                                                          Malicious:false
                                                                          Reputation:high, very likely benign file
                                                                          Preview: 0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.......D....'..09...@k0...*.H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0...*.H.............0..........P..W..be......,k0.[...}.@......3vI*.?!I..N..>H.e...!.e.*.2....w..{........s.z..2..~..0....*8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.*....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i....*.)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0...*.H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..|.Wv..(9..e...w.j..w.......)...55.1.
                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):328
                                                                          Entropy (8bit):3.1202775039435013
                                                                          Encrypted:false
                                                                          SSDEEP:6:kKXx6yMEe8N+SkQlPlEGYRMY9z+4KlDA3RUeWlK1MMx:P8k8kPlE99SNxAhUe3OMx
                                                                          MD5:48AAC9E7FEAD1053A0FA1B4E07DC7919
                                                                          SHA1:4356801A6D304881B661B1E7FE24B4124BB152F6
                                                                          SHA-256:14BE10736942859BA83102FA16C77C1081861A12A9E741AFE502335F8641203A
                                                                          SHA-512:1E10781556327E96C61FEEDAFEEC4418191F6F7061DFF1A78950ACA0654FC711C72AB1EB759E0E51E34B151EB714AEF20D6213FFE9183A4E3D915216DA3B4FB2
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview: p...... ........V.T..b..(....................................................... ............L......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.9.0.e.6.c.f.e.3.4.c.d.7.1.:.0."...
                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):252
                                                                          Entropy (8bit):2.96847467253794
                                                                          Encrypted:false
                                                                          SSDEEP:3:kkFklR31fllXlE/+CkJdllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1yR9l1LlN:kKCR5liBAIdQZV7Qrl5
                                                                          MD5:8B5B3FD54D39A3B492C7ADCFFAA709ED
                                                                          SHA1:63158D1BEAE722B6A3996885C29C604ABCC1B7EE
                                                                          SHA-256:C1FB6B3AC300A0FF6F654F684BE82F838676700ED56719848587E329D167C31C
                                                                          SHA-512:C15D22D929BB610BE272CD68D713E7F23BA2480223818C04F88D474EDE7680B974BB4CCC869D7269B9E006A78397E38F530A1A066564FA78ACDDF2E3D3A5C34E
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview: p...... ....`..... ..b..(....................................................... ........[..^......(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.c.4.8.0.c.7.c.5.2.f.8.0."...
                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\PC[1].txt
                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:downloaded
                                                                          Size (bytes):659456
                                                                          Entropy (8bit):6.648738100237886
                                                                          Encrypted:false
                                                                          SSDEEP:6144:ie7tkcyarn5KfNZCM2RG+zcwxOVbcEkXd5+d/T7xvoldaoAxKiYe1SvA5UamZ6vh:XFn5W8M4GSYbcb/+V7B+AcigemZ6Xd
                                                                          MD5:5688C69C4379841EEE42DCAEC2DBF55A
                                                                          SHA1:09A30EC730D1FDF77E80F6D31AA4D810E36B1C44
                                                                          SHA-256:62801897AE3411A8F144F2F7290AD2133AD0895F4F1550922DCA9C6F4B9E8114
                                                                          SHA-512:1CEE75D6FFDC9A1E9E903672C83A7E042E9A6A34D42B156BD11A6ED215A82FE336E86158892A6EE129239F52F22CCFE19062D8668C6B9BE5027775BD19424174
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: ReversingLabs, Detection: 22%
                                                                          Reputation:low
                                                                          IE Cache URL:https://offlineclubz.com/PC.txt
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....37B............................~'... ...@....@.. ....................................`.................................$'..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`'......H..........\...........LY..z-..................................................#Y./..U.[P..c.Q..q<z.....\..k.A..4r..CTd..41n.8.[z..,.4k...f...[....v;+ /...z.p.r..?...ql...Dy9.V..PA..h..c$....o&.tA.6@.!.bo..../.f).a(........x.L.Z......6@......EM$.7^?.0.w.2O......C.R...fc...A.>q..P2...aBZ..&o.p7.RS@<.>.TO6!;..*.....Zn.G.s.....r...j....hi.;.....B..T..Pn.../@!..o.(...d0.'D:....pu.v...^...T..c....B....G0.K}Y......ic@....R..d0q..Q.xn.BR...._8.&V...h2...[./.[..
                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\2TE7JJq[1].htm
                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          File Type:HTML document, ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):118
                                                                          Entropy (8bit):4.5727834342595335
                                                                          Encrypted:false
                                                                          SSDEEP:3:qVvzLURODccZ/vXbvx9nDylVbeSkHsIkFSXbKFvNGb:qFzLIeco3XLx92lReNsIMSLWQb
                                                                          MD5:8966664618E37682868AB0D64BEBEBFE
                                                                          SHA1:38FCE0D612CDEFBE2F68194AC0D38BE6FB6D3819
                                                                          SHA-256:A61F7F7C08995E9DF78299E9C8E65EA7FB97639B3DDF6F32B49DAADD155B8D4C
                                                                          SHA-512:8D68BA78CDF5997D9B95D14C70106994AE8C7F2AB02B9F528461F1DF84B7D26AF7BF304056746369D5D168E857182E126F2223EFB9321ACA8E3C75217952DAA8
                                                                          Malicious:false
                                                                          Preview: <html>.<head><title>Bitly</title></head>.<body><a href="https://offlineclubz.com/PC.txt">moved here</a></body>.</html>
                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0863C5D3-5908-4917-8F28-8909E0160183}.tmp
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):2150792
                                                                          Entropy (8bit):4.154182985075007
                                                                          Encrypted:false
                                                                          SSDEEP:49152:y6ugLOlOuO0O0OBwuOu8uiuKuOuFuZuOuOwzuOuN9OuOoSuOugbq:y6ugLOlOuO0O0OBwuOu8uiuKuOuFuZuA
                                                                          MD5:49CA5D1741FDA53C2894B360D1A8D648
                                                                          SHA1:44629C7D28BF1FB4087E0FB72492D2AC083C98F7
                                                                          SHA-256:4E6AE2AA54440C99F7814B49065F3CEE5742EBF6FB019677E2EFBD39958EE19B
                                                                          SHA-512:007A71A497CACD348E6490E7BC627EF6CB237AB9041127EF50F52BE985721D4BF038E6B227A324E0C5E658C04B4EB39200904A7B1FC748011D284445EAEAE328
                                                                          Malicious:false
                                                                          Preview: ..@.a.W.B.N.Z.v.a.u.7.K.A.p.V.5.Z.b.@.-.A.d.V.7.o.Z.3.o.9.t.P.U.M.i.Q.O.<.e.h.&.&.8._.M.-.C._.C.C.-.-._.-.s.,.6.5.>.9.0.0.0.8.6.$.C.v.>.I.t.=.i.9.|.:.%.a.P.d._.>.G.n.3.#.b.m.%.;.=...0.3.+.v.U.~.7...4.H.g.H.m.?.?._.W.~.5.+.T.f.I.?.n.M.[.T.M.2.7.R.w.U.D.^.:.e.].f.s.E.&.Q.k.P.0.?.G.N.D.?.v.R.6.K.P.[.H.I.C.n.9.B.i.P.s.R.^.?.].?.E.a.b.P.x.?.u.X.t.:.N.'.z.^.3.f.w.?.!.K.W.#.c.F.d.%.&.V.5.i.?.I.b.K.[.V.~.r.v.W.a.*.w.E.a.9.k.0.t.N.3.:.V.9.3.Z.?.V.].&.J.Z.0.L.A.E.6.o.>.i.p.F.f.n._.m.Q.Y.#.1.e.P.9.r.#.'.[.z.p.w.X.2.4.$.N.A.R.k.D.V.C.|.6.L.5.y.1.^.~.Q.I.6.q.T.m.>.x.I.g.B.R.G.:.f.L.[.i.0.a.*.V.$.U.r.y.h.r.y.].O.f.F.8.Y.n.y.L.l.a.T.l.I.E.C.E.?.:.b.'._.Q.A.p.H.?.d.l.'.2.F.k.:.W.S.3.L.g.7.^.u.!.|.Z.G.g.M.8.S.m.2.j.P.z.B.?.f.x.1.d.K.M.L.*.V.&.m.].].g.?.x.Y.k.m.I.T.8.j.8.&.2.T.u.'.3.U.h.U.U.Y.w.#.e.^.i.y.N.D.X.=.Z...].u.E.K.$.M.>.#.4.O.>.u.p.>.y.*.z.v.E.0.0.I.d.+.>.2.E.r.G.5.L.%.r.%.h.A.?.t.p.V.b.q.2.i._._.Z.p.'.e.m.9.?.7.W.@.Q.T.R.K.I.j.6.'.D.M.D.8.t.y...G.G.*.Z.K.n.?.A.J.c.w.r.9.S.j.^.*.s.3.*.!.c.e.N.
                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{248C44A0-30CA-4646-ACFF-79FC9E14ADCB}.tmp
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):1024
                                                                          Entropy (8bit):0.05390218305374581
                                                                          Encrypted:false
                                                                          SSDEEP:3:ol3lYdn:4Wn
                                                                          MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                          SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                          SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                          SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                          Malicious:false
                                                                          Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C2D3EB9C-AB70-4784-8852-5C03B64EE05D}.tmp
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):1536
                                                                          Entropy (8bit):1.3586208805849456
                                                                          Encrypted:false
                                                                          SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbv:IiiiiiiiiifdLloZQc8++lsJe1Mzon
                                                                          MD5:074A6EF7D45528608B5D3050054D2C36
                                                                          SHA1:FA0468DB929013612B7B3B7C01DED8003CAF3D39
                                                                          SHA-256:28BAF8E05009CC690F7B69EECEB57881D52323E6A9412B10A16F6EBD8A9A8C05
                                                                          SHA-512:DC248B1A54330C0574CB95C9E96C7095562FA9AB9673403FBA8377ACB37035A8448DB3113E7363B28C9A9C2D22C7EA52BC6833739B8801F39E6A7E3027AF994E
                                                                          Malicious:false
                                                                          Preview: ..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                          C:\Users\user\AppData\Local\Temp\CabAEF5.tmp
                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          File Type:Microsoft Cabinet archive data, 60080 bytes, 1 file
                                                                          Category:dropped
                                                                          Size (bytes):60080
                                                                          Entropy (8bit):7.995256720209506
                                                                          Encrypted:true
                                                                          SSDEEP:768:O78wIEbt8Rc7GHyP7zpxeiB9jTs6cX8ENclXVbFYYDceSKZyhRhbzfgtEnz9BPNZ:A8Rc7GHyhUHsVNPOlhbz2E5BPNiUu+g4
                                                                          MD5:6045BACCF49E1EBA0E674945311A06E6
                                                                          SHA1:379C6234849EECEDE26FAD192C2EE59E0F0221CB
                                                                          SHA-256:65830A65CB913BEE83258E4AC3E140FAF131E7EB084D39F7020C7ACC825B0A58
                                                                          SHA-512:DA32AF6A730884E73956E4EB6BFF61A1326B3EF8BA0A213B5B4AAD6DE4FBD471B3550B6AC2110F1D0B2091E33C70D44E498F897376F8E1998B1D2AFAC789ABEB
                                                                          Malicious:false
                                                                          Preview: MSCF............,...................I........d.........R9b .authroot.stl.3..).4..CK..8T....c_.d....A.K...].M$[v.4.)7-.%.QIR..$t)Kd.-[..T\{..ne.....{..<.......Ab.<..X....sb.....e........dbu.3...0........X..00&Z....C...p0.}..2..0m.}..Cj.9U..J.j.Y...#.L..\X..O.,...,.qu..]..(B.nE~Q...)..Gcx.....}...f....zw.a..9+[.<0.'..2 .s..ya..J......wd....OO!.s....`.WA...F6._f....6...g..2..7.$,....X.k..&...E...g.....>uv."..!......xc......C..?....P0$.Y..?u....Z0.g3.>W0&.y.(....].`>... ..R.q..wg*X......qB!.B....Z.4..>.R.M..0.8...=.8..Ya.s.......add..)..w.4.&.z...2.&74.5]..w.j.._iK..||[.w.M.!<-.}%.C<tDX5\s._..I..*..nb.....GCQ.V..r..Y.............q...0..V)Tu>.Z..r...I...<.R{Ac..x^. .<A........|.{.....Q...&....X..C$....e9.:..vI..x.R4...L......%g...<..}'{....E8Sl...E".h...*.........ItVs.K......3.9.l..`D..e.i`....y...,..5....aSs`..W...d...t.J..]....'u3..d]7..=e....[R!:........Q.%..@........ga.v.~..q....{.!N.b]x..Zx.../;#}.f.)k.c9..{rmPt..z5.m=..q..%.D#<+Ex....1|.._F.
                                                                          C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          Process:C:\Users\Public\098765.exe
                                                                          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):64672
                                                                          Entropy (8bit):6.033474133573561
                                                                          Encrypted:false
                                                                          SSDEEP:768:PedoViadPL1DI9WzutSjeJan8dBhF541kE6Iq8HaVxlYDKz4yqibwEBbr:XiaFJkobMa8dBXG2zbVUDKz4yq3EBbr
                                                                          MD5:ADF76F395D5A0ECBBF005390B73C3FD2
                                                                          SHA1:017801B7EBD2CC0E1151EEBEC14630DBAEE48229
                                                                          SHA-256:5FF87E563B2DF09E94E17C82741D9A43AED2F214643DC067232916FAE4B35417
                                                                          SHA-512:9670AC5A10719FA312336B790EAD713D78A9999DB236AD0841A32CD689559B9F5F8469E3AF93400F1BE5BAF2B3723574F16EA554C2AAF638734FFF806F18DB2B
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Joe Sandbox View:
                                                                          • Filename: Ref 0180066743.xlsx, Detection: malicious, Browse
                                                                          • Filename: Purchase Order Price List.xlsx, Detection: malicious, Browse
                                                                          • Filename: Quote QU038097.doc, Detection: malicious, Browse
                                                                          • Filename: 6Cprm97UTl.xls, Detection: malicious, Browse
                                                                          • Filename: Payment_Confirmation_Slip.xlsx, Detection: malicious, Browse
                                                                          • Filename: Overdue Invoice.xlsx, Detection: malicious, Browse
                                                                          • Filename: Quotation.xlsx, Detection: malicious, Browse
                                                                          • Filename: ENCLOSE ORDER LIST.xlsx, Detection: malicious, Browse
                                                                          • Filename: PO INV 195167 & 195324.xlsx, Detection: malicious, Browse
                                                                          • Filename: Bank letter.xlsx, Detection: malicious, Browse
                                                                          • Filename: Quotation.xlsx, Detection: malicious, Browse
                                                                          • Filename: PO 19030004.xlsx, Detection: malicious, Browse
                                                                          • Filename: New PO PO20.xlsx, Detection: malicious, Browse
                                                                          • Filename: ORDER LIST.xlsx, Detection: malicious, Browse
                                                                          • Filename: RFQ 00112.xlsx, Detection: malicious, Browse
                                                                          • Filename: inquiry.xlsx, Detection: malicious, Browse
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&.W..............0.................. ........@.. ....................... ......k.....`.....................................O.......8................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B........................H........A..`p...........................................................~P...-.r...p.....(....(....s.....P...*..0.."........(......-.r...p.rI..p(....s....z.*...0..........(....~P.....o......*..(....*n(.....(..........%...(....*~(.....(..........%...%...(....*.(.....(..........%...%...%...(....*V.(......}Q.....}R...*..{Q...*..{R...*...0...........(.......i.;...}S......i.>...}T......i.>...}U.....+m...(....o......r]..p.o ...,..{T.......{U........o!....+(.ra..p.o ...,..{T.......
                                                                          C:\Users\user\AppData\Local\Temp\TarAEF6.tmp
                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):156885
                                                                          Entropy (8bit):6.30972017530066
                                                                          Encrypted:false
                                                                          SSDEEP:1536:NlR6c79JjgCyrYBWsWimp4Ydm6Caku2SWsz0OD8reJgMnl3XlMuGmO:N2UJcCyZfdmoku2SL3kMnBGuzO
                                                                          MD5:9BE376D85B319264740EF583F548B72A
                                                                          SHA1:6C6416CBC51AAC89A21A529695A8FCD3AD5E6B85
                                                                          SHA-256:07FDF8BC502E6BB4CF6AE214694F45C54A53228FC2002B2F17C9A2EF64EB76F6
                                                                          SHA-512:8AFC5D0D046E8B410EC1D29E2E16FB00CD92F8822D678AA0EE2A57098E05F2A0E165858347F035AE593B62BF195802CB6F9A5F92670041E1828669987CEEC7DE
                                                                          Malicious:false
                                                                          Preview: 0..d...*.H.........d.0..d....1.0...`.H.e......0..T...+.....7.....T.0..T.0...+.....7........L.E*u...210519191503Z0...+......0..T.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                                                          C:\Users\user\AppData\Local\Temp\tmp7790.tmp
                                                                          Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1307
                                                                          Entropy (8bit):5.10141182324719
                                                                          Encrypted:false
                                                                          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Wa5xtn:cbk4oL600QydbQxIYODOLedq39a5j
                                                                          MD5:0110BA0E94E360796104E322DF75DC7B
                                                                          SHA1:2BB7D2336F5FF60FD081D548CB4FD2ACB1DFF02C
                                                                          SHA-256:967AB39BFA0491BC2107EB6BFF58F3C8750C9D1C6EE34B467FE764593E7768CB
                                                                          SHA-512:FFF636DB45ED48968BF8738E08AE2EAA1AD665BCB081A568C4669F02BB5816918A89E7B60E2BC7D689423A7697D01369C072578377DB13B1B1050CF5FE9CF46F
                                                                          Malicious:true
                                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                          C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat
                                                                          Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          File Type:ISO-8859 text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):8
                                                                          Entropy (8bit):3.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:8Q1t:8Q1t
                                                                          MD5:38A4642F1D21738670A0A97C59F534B8
                                                                          SHA1:00297350A2EC9C0E1D29843C4DDF97C4029F0701
                                                                          SHA-256:667B327299E4A2AFAF51EE5A8566BD177796B84AF410A31B04B6BC5C9B447220
                                                                          SHA-512:9837D7285E4FF71F5CC70EC12CF85ECC3F7EBBC59CC07EA81B22D4A1720E3A80C81419F4EEBB3C18D5F94BF33A467967678BD65A019B9EC36F4BBBDFB521DEDF
                                                                          Malicious:true
                                                                          Preview: .O.5.0.H
                                                                          C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\task.dat
                                                                          Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):44
                                                                          Entropy (8bit):4.24615711897243
                                                                          Encrypted:false
                                                                          SSDEEP:3:oNXp4E2J5xAI0L4A:oNP23f0L4A
                                                                          MD5:5E660472C77DA3439F72326B5DFFB266
                                                                          SHA1:AF5C9036F8FFDEE6DDA4F0FCB98FDCBA1C66929F
                                                                          SHA-256:D4496716123174FC18832BF7C22003B0A1B4D9140FBC672F91EF5687B85A5446
                                                                          SHA-512:B7840F8FF63AE79CB828851FAC8AEFA97E97427E1A5A47967A95C42AB2C3163FC1960F7BB3B065B6509648D133DA3AB8AFBA9B5E6F018DB5556E9153679841B0
                                                                          Malicious:false
                                                                          Preview: C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Updated Order COA.LNK
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:16 2020, mtime=Wed Aug 26 14:08:16 2020, atime=Wed Jun 16 18:01:33 2021, length=2676268, window=hide
                                                                          Category:dropped
                                                                          Size (bytes):2098
                                                                          Entropy (8bit):4.559640915747649
                                                                          Encrypted:false
                                                                          SSDEEP:24:85k/XTd6jFyoFreKZQDv3qadM7dD25k/XTd6jFyoFreKZQDv3qadM7dV:8S/XT0jFJxHZaQh2S/XT0jFJxHZaQ/
                                                                          MD5:1D986D013CAC96F831E9E632B5E3843D
                                                                          SHA1:21A72652B7C0A32B4882C4B193AE460B692A1BB3
                                                                          SHA-256:64DCBD0B651A0FE9D4BA4FE4A943EE10C46C28A4281FF737D828042434399F57
                                                                          SHA-512:252EA7098199805AD0F5936E90D3221E3DBE39C901CEA984B4394ED420DD170BFF554A7BDADDBBDE1CF17842C63A86DC15E7C34435C47C1B15663239BD0CCACC
                                                                          Malicious:false
                                                                          Preview: L..................F.... ...<f...{..<f...{.... ..b..,.(..........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....t.2.,.(..R1. .UPDATE~1.DOC..X.......Q.y.Q.y*...8.....................U.p.d.a.t.e.d. .O.r.d.e.r. .C.O.A...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\179605\Users.user\Desktop\Updated Order COA.doc.,.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.U.p.d.a.t.e.d. .O.r.d.e.r. .C.O.A...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......179605..........D_....3N...W...9F.C
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):89
                                                                          Entropy (8bit):4.359207826504001
                                                                          Encrypted:false
                                                                          SSDEEP:3:M1EEUkLUoVNkLUmX1EEUkLUv:M+E9528E9C
                                                                          MD5:49B80095D2558145DCCEEC72D874A816
                                                                          SHA1:931ADA0FE83161BCC2DBB495CF43FBFB1D3EC2DB
                                                                          SHA-256:816C4C832C4BE334D7658C2AC92D0F06323212C8CF8FDE5D3FCB21EE23B2D834
                                                                          SHA-512:2CA750205D5B520F37A66DCED0C22D531EA25E779F7F4B056CCEBF02D6E324C5FF77409CF6F43F481CD56B5F072F29CF54C9103CBA6EF530C247707085035D3F
                                                                          Malicious:false
                                                                          Preview: [doc]..Updated Order COA.LNK=0..Updated Order COA.LNK=0..[doc]..Updated Order COA.LNK=0..
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):162
                                                                          Entropy (8bit):2.431160061181642
                                                                          Encrypted:false
                                                                          SSDEEP:3:vrJlaCkWtVysAiJNGlzgYGwg32LbO/ln:vdsCkWthASq+l
                                                                          MD5:4CDEC46BF4C5E1435E277CB4821D6306
                                                                          SHA1:506F3E77835A2AE504189833D4EF30799A0ACE45
                                                                          SHA-256:39A3F2156450758ACBBCB3D8E9461BB4CDD93F41A3EC3A4013F4EB8D2A906537
                                                                          SHA-512:7039ED1E181A8368526A65F6F0D2F70E5BCEBD37BB3BFD8E270BB305F405DB0D843B1CAF6E4E05F6CF1D203A8AA326A1316CDDDD085DD59DB15A82A26E6FA575
                                                                          Malicious:false
                                                                          Preview: .user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...
                                                                          C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):2
                                                                          Entropy (8bit):1.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:Qn:Qn
                                                                          MD5:F3B25701FE362EC84616A93A45CE9998
                                                                          SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                          SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                          SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                          Malicious:false
                                                                          Preview: ..
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\WG4KTJBM.txt
                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          File Type:ASCII text
                                                                          Category:downloaded
                                                                          Size (bytes):90
                                                                          Entropy (8bit):4.367513759017689
                                                                          Encrypted:false
                                                                          SSDEEP:3:jvDiIEKEc2/KHMYi2EWcKvW26YV/n:fiwEP/KHbi2kKvCYV/n
                                                                          MD5:A8822E64EB6D7DADA85EF5B64BA6AE9D
                                                                          SHA1:9678247403B198C7B085E6190D800BA0B719B52B
                                                                          SHA-256:9DD9ACB3E005FE39583C889004C06060F8178291BDD68EDF3048643A51E0E300
                                                                          SHA-512:F006C0FD1028DF6432B77BC1CD7E10A6BE7A023B5CDA66E137D57CFC71252A1DBFDB619E8E02348049F675A1564B92AC609A2575D84F351B0F8FA1C2FF78E5B3
                                                                          Malicious:false
                                                                          IE Cache URL:bit.ly/
                                                                          Preview: _bit.l5ga1G-ac8a65c983a3f14e72-00e.bit.ly/.1536.1838876416.30928904.1335906363.30892770.*.
                                                                          C:\Users\user\Desktop\~$dated Order COA.doc
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):162
                                                                          Entropy (8bit):2.431160061181642
                                                                          Encrypted:false
                                                                          SSDEEP:3:vrJlaCkWtVysAiJNGlzgYGwg32LbO/ln:vdsCkWthASq+l
                                                                          MD5:4CDEC46BF4C5E1435E277CB4821D6306
                                                                          SHA1:506F3E77835A2AE504189833D4EF30799A0ACE45
                                                                          SHA-256:39A3F2156450758ACBBCB3D8E9461BB4CDD93F41A3EC3A4013F4EB8D2A906537
                                                                          SHA-512:7039ED1E181A8368526A65F6F0D2F70E5BCEBD37BB3BFD8E270BB305F405DB0D843B1CAF6E4E05F6CF1D203A8AA326A1316CDDDD085DD59DB15A82A26E6FA575
                                                                          Malicious:false
                                                                          Preview: .user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...
                                                                          C:\Users\Public\098765.exe
                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:modified
                                                                          Size (bytes):659456
                                                                          Entropy (8bit):6.648738100237886
                                                                          Encrypted:false
                                                                          SSDEEP:6144:ie7tkcyarn5KfNZCM2RG+zcwxOVbcEkXd5+d/T7xvoldaoAxKiYe1SvA5UamZ6vh:XFn5W8M4GSYbcb/+V7B+AcigemZ6Xd
                                                                          MD5:5688C69C4379841EEE42DCAEC2DBF55A
                                                                          SHA1:09A30EC730D1FDF77E80F6D31AA4D810E36B1C44
                                                                          SHA-256:62801897AE3411A8F144F2F7290AD2133AD0895F4F1550922DCA9C6F4B9E8114
                                                                          SHA-512:1CEE75D6FFDC9A1E9E903672C83A7E042E9A6A34D42B156BD11A6ED215A82FE336E86158892A6EE129239F52F22CCFE19062D8668C6B9BE5027775BD19424174
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: ReversingLabs, Detection: 22%
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....37B............................~'... ...@....@.. ....................................`.................................$'..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`'......H..........\...........LY..z-..................................................#Y./..U.[P..c.Q..q<z.....\..k.A..4r..CTd..41n.8.[z..,.4k...f...[....v;+ /...z.p.r..?...ql...Dy9.V..PA..h..c$....o&.tA.6@.!.bo..../.f).a(........x.L.Z......6@......EM$.7^?.0.w.2O......C.R...fc...A.>q..P2...aBZ..&o.p7.RS@<.>.TO6!;..*.....Zn.G.s.....r...j....hi.;.....B..T..Pn.../@!..o.(...d0.'D:....pu.v...^...T..c....B....G0.K}Y......ic@....R..d0q..Q.xn.BR...._8.&V...h2...[./.[..

                                                                          Static File Info

                                                                          General

                                                                          File type:Rich Text Format data, unknown version
                                                                          Entropy (8bit):5.29364667275501
                                                                          TrID:
                                                                          • Rich Text Format (5005/1) 55.56%
                                                                          • Rich Text Format (4004/1) 44.44%
                                                                          File name:Updated Order COA.doc
                                                                          File size:2676268
                                                                          MD5:59f9c2a162cf48fe5819f58b697c107c
                                                                          SHA1:f8702f19bae3a9f2dd1fca58f6eae3d6e62d4878
                                                                          SHA256:23a865d4a1205be496c45012233d96255c90102e3925dab252d30d9a70f82ba9
                                                                          SHA512:2a992461f865f9d78cf7c183a97e0051914efd0e1921cf0e9f589546e3c01aabd2c8fae177d0d5a4111629fe2acbecbc8c7540e42bc542fce9e046ac6c0ccf22
                                                                          SSDEEP:24576:sBhBhBhBhBhBhBhBhBhBhBhBhBhBhBhBhBhBhBhBhBhBhBhBhB2SdWnK596WRaSm:v
                                                                          File Content Preview:{\rtf00529\page63728156246287781@aWBNZvau7KApV5Zb@-AdV7oZ3o9tPUMiQO<eh&&8_M-C_CC--_-s,65>900086$Cv>It=i9|:%aPd_>Gn3#bm%\vLIL;=\lujj674458.03............+vU~7.4HgHm??_W~5+TfI?nM[TM27RwUD^:e]fsE&QkP0?GND?vR6KP[HICn9BiPsR^?]?EabPx?uXt:N'z^3fw?!KW#cFd%&V5i?Ib

                                                                          File Icon

                                                                          Icon Hash:e4eea2aaa4b4b4a4

                                                                          Static RTF Info

                                                                          Objects

                                                                          IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                                          000105CB2hno
                                                                          100105C81hno

                                                                          Network Behavior

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Jun 16, 2021 12:01:41.864188910 CEST49167443192.168.2.2267.199.248.10
                                                                          Jun 16, 2021 12:01:41.916448116 CEST4434916767.199.248.10192.168.2.22
                                                                          Jun 16, 2021 12:01:41.916583061 CEST49167443192.168.2.2267.199.248.10
                                                                          Jun 16, 2021 12:01:41.935142994 CEST49167443192.168.2.2267.199.248.10
                                                                          Jun 16, 2021 12:01:41.985265970 CEST4434916767.199.248.10192.168.2.22
                                                                          Jun 16, 2021 12:01:41.986512899 CEST4434916767.199.248.10192.168.2.22
                                                                          Jun 16, 2021 12:01:41.986597061 CEST4434916767.199.248.10192.168.2.22
                                                                          Jun 16, 2021 12:01:41.986649036 CEST4434916767.199.248.10192.168.2.22
                                                                          Jun 16, 2021 12:01:41.986722946 CEST49167443192.168.2.2267.199.248.10
                                                                          Jun 16, 2021 12:01:41.986784935 CEST49167443192.168.2.2267.199.248.10
                                                                          Jun 16, 2021 12:01:41.986793041 CEST49167443192.168.2.2267.199.248.10
                                                                          Jun 16, 2021 12:01:42.002804041 CEST49167443192.168.2.2267.199.248.10
                                                                          Jun 16, 2021 12:01:42.053019047 CEST4434916767.199.248.10192.168.2.22
                                                                          Jun 16, 2021 12:01:42.053179979 CEST49167443192.168.2.2267.199.248.10
                                                                          Jun 16, 2021 12:01:42.254595041 CEST49167443192.168.2.2267.199.248.10
                                                                          Jun 16, 2021 12:01:42.310520887 CEST4434916767.199.248.10192.168.2.22
                                                                          Jun 16, 2021 12:01:42.394532919 CEST4434916767.199.248.10192.168.2.22
                                                                          Jun 16, 2021 12:01:42.394695044 CEST49167443192.168.2.2267.199.248.10
                                                                          Jun 16, 2021 12:01:42.711577892 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:42.806293964 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:42.806401968 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:42.807127953 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:42.900615931 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:42.900685072 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:42.900734901 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:42.900779963 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:42.900799990 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:42.900809050 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:42.900829077 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:42.900863886 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:42.903520107 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:42.997950077 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:42.998040915 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.245289087 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.338879108 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.338929892 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.338953018 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.338963032 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.338978052 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.338998079 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.338999987 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.339004993 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.339009047 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.339024067 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.339046001 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.339056015 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.339065075 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.339065075 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.339086056 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.339087963 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.339101076 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.339133024 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.342044115 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.432462931 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.432490110 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.432504892 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.432600975 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.432626963 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.432648897 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.432650089 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.432678938 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.432692051 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.432708025 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.432719946 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.432739019 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.432748079 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.432774067 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.432777882 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.432805061 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.432807922 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.432832956 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.432842016 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.432861090 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.432868004 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.432890892 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.432902098 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.432924032 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.432950020 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.432951927 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.432955980 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.432980061 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.432996035 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.433007956 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.433010101 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.433036089 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.433044910 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.433073997 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.435357094 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.435476065 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.439714909 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.528527975 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.528585911 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.528624058 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.528661966 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.528691053 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.528702021 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.528714895 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.528738976 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.528750896 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.528778076 CEST4434916882.221.105.125192.168.2.22

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Jun 16, 2021 12:01:41.736845970 CEST5219753192.168.2.228.8.8.8
                                                                          Jun 16, 2021 12:01:41.790587902 CEST53521978.8.8.8192.168.2.22
                                                                          Jun 16, 2021 12:01:41.790910006 CEST5219753192.168.2.228.8.8.8
                                                                          Jun 16, 2021 12:01:41.846062899 CEST53521978.8.8.8192.168.2.22
                                                                          Jun 16, 2021 12:01:42.417480946 CEST5309953192.168.2.228.8.8.8
                                                                          Jun 16, 2021 12:01:42.533705950 CEST53530998.8.8.8192.168.2.22
                                                                          Jun 16, 2021 12:01:42.534173012 CEST5309953192.168.2.228.8.8.8
                                                                          Jun 16, 2021 12:01:42.646461964 CEST53530998.8.8.8192.168.2.22
                                                                          Jun 16, 2021 12:01:42.646984100 CEST5309953192.168.2.228.8.8.8
                                                                          Jun 16, 2021 12:01:42.709249973 CEST53530998.8.8.8192.168.2.22
                                                                          Jun 16, 2021 12:01:43.074385881 CEST5283853192.168.2.228.8.8.8
                                                                          Jun 16, 2021 12:01:43.127948999 CEST53528388.8.8.8192.168.2.22
                                                                          Jun 16, 2021 12:01:43.130451918 CEST6120053192.168.2.228.8.8.8
                                                                          Jun 16, 2021 12:01:43.185923100 CEST53612008.8.8.8192.168.2.22
                                                                          Jun 16, 2021 12:01:43.708142042 CEST4954853192.168.2.228.8.8.8
                                                                          Jun 16, 2021 12:01:43.761575937 CEST53495488.8.8.8192.168.2.22
                                                                          Jun 16, 2021 12:01:43.764358997 CEST5562753192.168.2.228.8.8.8
                                                                          Jun 16, 2021 12:01:43.828948975 CEST53556278.8.8.8192.168.2.22
                                                                          Jun 16, 2021 12:01:46.148313046 CEST5600953192.168.2.228.8.8.8
                                                                          Jun 16, 2021 12:01:46.207514048 CEST53560098.8.8.8192.168.2.22
                                                                          Jun 16, 2021 12:01:47.061758041 CEST6186553192.168.2.228.8.8.8
                                                                          Jun 16, 2021 12:01:47.128891945 CEST53618658.8.8.8192.168.2.22
                                                                          Jun 16, 2021 12:01:47.145415068 CEST5517153192.168.2.228.8.8.8
                                                                          Jun 16, 2021 12:01:47.204550028 CEST53551718.8.8.8192.168.2.22
                                                                          Jun 16, 2021 12:03:08.136887074 CEST5249653192.168.2.228.8.8.8
                                                                          Jun 16, 2021 12:03:08.195612907 CEST53524968.8.8.8192.168.2.22
                                                                          Jun 16, 2021 12:03:08.196099997 CEST5249653192.168.2.228.8.8.8
                                                                          Jun 16, 2021 12:03:08.255234957 CEST53524968.8.8.8192.168.2.22
                                                                          Jun 16, 2021 12:03:25.335786104 CEST5756453192.168.2.228.8.8.8
                                                                          Jun 16, 2021 12:03:25.396533966 CEST53575648.8.8.8192.168.2.22
                                                                          Jun 16, 2021 12:03:41.962121010 CEST6300953192.168.2.228.8.8.8
                                                                          Jun 16, 2021 12:03:42.022552013 CEST53630098.8.8.8192.168.2.22

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                          Jun 16, 2021 12:01:41.736845970 CEST192.168.2.228.8.8.80x7e45Standard query (0)bit.lyA (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:01:41.790910006 CEST192.168.2.228.8.8.80x7e45Standard query (0)bit.lyA (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:01:42.417480946 CEST192.168.2.228.8.8.80xef41Standard query (0)offlineclubz.comA (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:01:42.534173012 CEST192.168.2.228.8.8.80xef41Standard query (0)offlineclubz.comA (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:01:42.646984100 CEST192.168.2.228.8.8.80xef41Standard query (0)offlineclubz.comA (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:03:08.136887074 CEST192.168.2.228.8.8.80xbeb3Standard query (0)wealthybillionaire.ddns.netA (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:03:08.196099997 CEST192.168.2.228.8.8.80xbeb3Standard query (0)wealthybillionaire.ddns.netA (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:03:25.335786104 CEST192.168.2.228.8.8.80xe42bStandard query (0)wealthybillionaire.ddns.netA (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:03:41.962121010 CEST192.168.2.228.8.8.80xa0c2Standard query (0)wealthybillionaire.ddns.netA (IP address)IN (0x0001)

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                          Jun 16, 2021 12:01:41.790587902 CEST8.8.8.8192.168.2.220x7e45No error (0)bit.ly67.199.248.10A (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:01:41.790587902 CEST8.8.8.8192.168.2.220x7e45No error (0)bit.ly67.199.248.11A (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:01:41.846062899 CEST8.8.8.8192.168.2.220x7e45No error (0)bit.ly67.199.248.10A (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:01:41.846062899 CEST8.8.8.8192.168.2.220x7e45No error (0)bit.ly67.199.248.11A (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:01:42.533705950 CEST8.8.8.8192.168.2.220xef41No error (0)offlineclubz.com82.221.105.125A (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:01:42.646461964 CEST8.8.8.8192.168.2.220xef41No error (0)offlineclubz.com82.221.105.125A (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:01:42.709249973 CEST8.8.8.8192.168.2.220xef41No error (0)offlineclubz.com82.221.105.125A (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:03:08.195612907 CEST8.8.8.8192.168.2.220xbeb3No error (0)wealthybillionaire.ddns.net185.140.53.154A (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:03:08.255234957 CEST8.8.8.8192.168.2.220xbeb3No error (0)wealthybillionaire.ddns.net185.140.53.154A (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:03:25.396533966 CEST8.8.8.8192.168.2.220xe42bNo error (0)wealthybillionaire.ddns.net185.140.53.154A (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:03:42.022552013 CEST8.8.8.8192.168.2.220xa0c2No error (0)wealthybillionaire.ddns.net185.140.53.154A (IP address)IN (0x0001)

                                                                          HTTPS Packets

                                                                          TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                          Jun 16, 2021 12:01:41.986649036 CEST67.199.248.10443192.168.2.2249167CN=bit.ly, O="Bitly, Inc.", L=New York, ST=New York, C=US, SERIALNUMBER=4627013, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization CN=DigiCert SHA2 Extended Validation Server CA, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert SHA2 Extended Validation Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USWed Aug 05 02:00:00 CEST 2020 Tue Oct 22 14:00:00 CEST 2013Tue Aug 10 14:00:00 CEST 2021 Sun Oct 22 14:00:00 CEST 2028771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                                                                          CN=DigiCert SHA2 Extended Validation Server CA, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USTue Oct 22 14:00:00 CEST 2013Sun Oct 22 14:00:00 CEST 2028
                                                                          Jun 16, 2021 12:01:42.900809050 CEST82.221.105.125443192.168.2.2249168CN=offlineclubz.com CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=USCN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Wed Jun 16 00:18:52 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021Tue Sep 14 00:18:51 CEST 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                                                                          CN=R3, O=Let's Encrypt, C=USCN=ISRG Root X1, O=Internet Security Research Group, C=USFri Sep 04 02:00:00 CEST 2020Mon Sep 15 18:00:00 CEST 2025
                                                                          CN=ISRG Root X1, O=Internet Security Research Group, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Jan 20 20:14:03 CET 2021Mon Sep 30 20:14:03 CEST 2024

                                                                          Code Manipulations

                                                                          Statistics

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          Analysis Process: WINWORD.EXE PID: 1748 Parent PID: 584

                                                                          General

                                                                          Start time:12:01:34
                                                                          Start date:16/06/2021
                                                                          Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          Wow64 process (32bit):false
                                                                          Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                                                          Imagebase:0x13ffc0000
                                                                          File size:1424032 bytes
                                                                          MD5 hash:95C38D04597050285A18F66039EDB456
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: EQNEDT32.EXE PID: 2624 Parent PID: 584

                                                                          General

                                                                          Start time:12:01:35
                                                                          Start date:16/06/2021
                                                                          Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                          Imagebase:0x400000
                                                                          File size:543304 bytes
                                                                          MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: 098765.exe PID: 2428 Parent PID: 2624

                                                                          General

                                                                          Start time:12:01:39
                                                                          Start date:16/06/2021
                                                                          Path:C:\Users\Public\098765.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\Public\098765.exe
                                                                          Imagebase:0xe30000
                                                                          File size:659456 bytes
                                                                          MD5 hash:5688C69C4379841EEE42DCAEC2DBF55A
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.2121391724.0000000003329000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.2121391724.0000000003329000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.2121391724.0000000003329000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.2121733076.00000000034D6000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.2121733076.00000000034D6000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.2121733076.00000000034D6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.2121559975.00000000033D8000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.2121559975.00000000033D8000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.2121559975.00000000033D8000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          Antivirus matches:
                                                                          • Detection: 100%, Joe Sandbox ML
                                                                          • Detection: 22%, ReversingLabs
                                                                          Reputation:low

                                                                          Analysis Process: RegAsm.exe PID: 2896 Parent PID: 2428

                                                                          General

                                                                          Start time:12:01:51
                                                                          Start date:16/06/2021
                                                                          Path:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          Imagebase:0x1f0000
                                                                          File size:64672 bytes
                                                                          MD5 hash:ADF76F395D5A0ECBBF005390B73C3FD2
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2356733340.0000000000920000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2356733340.0000000000920000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.2356733340.0000000000920000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2356337406.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.2356337406.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.2356337406.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.2357249695.00000000028F1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2356610128.0000000000760000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2356610128.0000000000760000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          Antivirus matches:
                                                                          • Detection: 0%, Metadefender, Browse
                                                                          • Detection: 0%, ReversingLabs
                                                                          Reputation:moderate

                                                                          Analysis Process: schtasks.exe PID: 2456 Parent PID: 2896

                                                                          General

                                                                          Start time:12:01:56
                                                                          Start date:16/06/2021
                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7790.tmp'
                                                                          Imagebase:0x2a0000
                                                                          File size:179712 bytes
                                                                          MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: taskeng.exe PID: 2536 Parent PID: 860

                                                                          General

                                                                          Start time:12:01:58
                                                                          Start date:16/06/2021
                                                                          Path:C:\Windows\System32\taskeng.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:taskeng.exe {6204476F-CB6D-41BF-A018-07A92169AAA2} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
                                                                          Imagebase:0xff3c0000
                                                                          File size:464384 bytes
                                                                          MD5 hash:65EA57712340C09B1B0C427B4848AE05
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:moderate

                                                                          Analysis Process: RegAsm.exe PID: 2592 Parent PID: 2536

                                                                          General

                                                                          Start time:12:01:58
                                                                          Start date:16/06/2021
                                                                          Path:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\AppData\Local\Temp\RegAsm.exe 0
                                                                          Imagebase:0x1f0000
                                                                          File size:64672 bytes
                                                                          MD5 hash:ADF76F395D5A0ECBBF005390B73C3FD2
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Reputation:moderate

                                                                          Disassembly

                                                                          Code Analysis

                                                                          Reset < >