Edit tour

Windows Analysis Report
MSystem32.exe

Overview

General Information

Sample name:	MSystem32.exe
Analysis ID:	1596563
MD5:	0b9c6adaad6b250ad72923c2014b44b0
SHA1:	7b9f82bef71e2d4ddfc258c2d1b7e7c5f76547fe
SHA256:	1a9dc2fbfe2257278e6452872cdbd18c50bf5c7142dd04c772f1633a7f20fd0d
Tags:	exeNanocoreRATuser-lontze7
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected Nanocore RAT

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

MSystem32.exe (PID: 6708 cmdline: "C:\Users\user\Desktop\MSystem32.exe" MD5: 0B9C6ADAAD6B250AD72923C2014B44B0)

schtasks.exe (PID: 2632 cmdline: "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmp5FB6.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5172 cmdline: "schtasks.exe" /create /f /tn "DNS Host Task" /xml "C:\Users\user\AppData\Local\Temp\tmp60B1.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dw20.exe (PID: 7016 cmdline: dw20.exe -x -s 1524 MD5: 89106D4D0BA99F770EAFE946EA81BB65)

MSystem32.exe (PID: 5688 cmdline: C:\Users\user\Desktop\MSystem32.exe 0 MD5: 0B9C6ADAAD6B250AD72923C2014B44B0)

dnshost.exe (PID: 5632 cmdline: "C:\Program Files (x86)\DNS Host\dnshost.exe" 0 MD5: 0B9C6ADAAD6B250AD72923C2014B44B0)

dnshost.exe (PID: 5352 cmdline: "C:\Program Files (x86)\DNS Host\dnshost.exe" MD5: 0B9C6ADAAD6B250AD72923C2014B44B0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Nanocore RAT, NanoCore	Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.	APT33 The Gorgon Group	https://assets.virustotal.com/reports/2021trends.pdf https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/ https://blog.cluster25.duskrise.com/2023/10/12/cve-2023-38831-russian-attack	https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "27f61c82-a893-4fbd-9acd-5df9ed98", "Group": "CustomRPC", "Domain1": "sulfux.ddns.net", "Domain2": "90.113.178.145", "Port": 9033, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
MSystem32.exe	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
MSystem32.exe	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
MSystem32.exe	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
MSystem32.exe	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
MSystem32.exe	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xfef5:$v1: NanoCore Client 0xff05:$v1: NanoCore Client 0x117c6:$v2: PluginCommand 0x117ae:$v3: CommandType
MSystem32.exe	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
Click to see the 1 entries

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files (x86)\DNS Host\dnshost.exe	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
C:\Program Files (x86)\DNS Host\dnshost.exe	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
C:\Program Files (x86)\DNS Host\dnshost.exe	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
C:\Program Files (x86)\DNS Host\dnshost.exe	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
C:\Program Files (x86)\DNS Host\dnshost.exe	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xfef5:$v1: NanoCore Client 0xff05:$v1: NanoCore Client 0x117c6:$v2: PluginCommand 0x117ae:$v3: CommandType
C:\Program Files (x86)\DNS Host\dnshost.exe	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.2302298443.0000000004001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.2302298443.0000000004001000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x49b23:$a1: NanoCore.ClientPluginHost 0x5d291:$a1: NanoCore.ClientPluginHost 0x7627d:$a1: NanoCore.ClientPluginHost 0x49ae6:$a2: NanoCore.ClientPlugin 0x5d25c:$a2: NanoCore.ClientPlugin 0x76248:$a2: NanoCore.ClientPlugin 0x49eba:$b1: get_BuilderSettings 0x621d7:$b1: get_BuilderSettings 0x7b1c3:$b1: get_BuilderSettings 0x49b71:$b4: IClientAppHost 0x49f2b:$b6: AddHostEntry 0x49f9a:$b7: LogClientException 0x62146:$b7: LogClientException 0x7b132:$b7: LogClientException 0x49f0f:$b8: PipeExists 0x49b5e:$b9: IClientLoggingHost 0x5d2ab:$b9: IClientLoggingHost 0x76297:$b9: IClientLoggingHost
00000006.00000002.2302298443.0000000004001000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x49a8d:$a: NanoCore 0x49ae6:$a: NanoCore 0x49b23:$a: NanoCore 0x49b9c:$a: NanoCore 0x5d247:$a: NanoCore 0x5d25c:$a: NanoCore 0x5d291:$a: NanoCore 0x76233:$a: NanoCore 0x76248:$a: NanoCore 0x7627d:$a: NanoCore 0x49aef:$b: ClientPlugin 0x49b2c:$b: ClientPlugin 0x4a42a:$b: ClientPlugin 0x4a437:$b: ClientPlugin 0x5d003:$b: ClientPlugin 0x5d01e:$b: ClientPlugin 0x5d04e:$b: ClientPlugin 0x5d265:$b: ClientPlugin 0x5d29a:$b: ClientPlugin 0x75fef:$b: ClientPlugin 0x7600a:$b: ClientPlugin
00000000.00000002.3193422405.0000000005C90000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.3193422405.0000000005C90000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
00000000.00000002.3193422405.0000000005C90000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000000.00000002.3193422405.0000000005C90000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
00000000.00000000.2220370877.0000000000952000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000000.2220370877.0000000000952000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xff8d:$a1: NanoCore.ClientPluginHost 0xff4d:$a2: NanoCore.ClientPlugin 0x11ea6:$b1: get_BuilderSettings 0xfda9:$b2: ClientLoaderForm.resources 0x115c6:$b3: PluginCommand 0xff7e:$b4: IClientAppHost 0x1a3fe:$b5: GetBlockHash 0x124fe:$b6: AddHostEntry 0x161f1:$b7: LogClientException 0x1246b:$b8: PipeExists 0xffb7:$b9: IClientLoggingHost
00000000.00000000.2220370877.0000000000952000.00000002.00000001.01000000.00000003.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000000.2220370877.0000000000952000.00000002.00000001.01000000.00000003.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000000.2220370877.0000000000952000.00000002.00000001.01000000.00000003.sdmp	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xfcf5:$v1: NanoCore Client 0xfd05:$v1: NanoCore Client 0x115c6:$v2: PluginCommand 0x115ae:$v3: CommandType
00000007.00000002.2303284587.0000000002D81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.2303284587.0000000002D81000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x40bfd:$a1: NanoCore.ClientPluginHost 0x40bc0:$a2: NanoCore.ClientPlugin 0x340d3:$b1: get_BuilderSettings 0x40f94:$b1: get_BuilderSettings 0x40c4b:$b4: IClientAppHost 0x41005:$b6: AddHostEntry 0x34042:$b7: LogClientException 0x41074:$b7: LogClientException 0x40fe9:$b8: PipeExists 0x40c38:$b9: IClientLoggingHost
00000007.00000002.2303284587.0000000002D81000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x40b67:$a: NanoCore 0x40bc0:$a: NanoCore 0x40bfd:$a: NanoCore 0x40c76:$a: NanoCore 0x40bc9:$b: ClientPlugin 0x40c06:$b: ClientPlugin 0x41504:$b: ClientPlugin 0x41511:$b: ClientPlugin 0x388de:$e: KeepAlive 0x41051:$g: LogClientMessage 0x40fd1:$i: get_Connected 0x32b99:$j: #=q 0x32bc9:$j: #=q 0x32c05:$j: #=q 0x32c2d:$j: #=q 0x32c5d:$j: #=q 0x32c8d:$j: #=q 0x32cbd:$j: #=q 0x32ced:$j: #=q 0x32d09:$j: #=q 0x32d39:$j: #=q
00000000.00000002.3192183909.0000000005A00000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
00000000.00000002.3192183909.0000000005A00000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000000.00000002.3192183909.0000000005A00000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
00000006.00000002.2302209097.0000000003001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.2302209097.0000000003001000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x40b25:$a1: NanoCore.ClientPluginHost 0x40ae8:$a2: NanoCore.ClientPlugin 0x33ffb:$b1: get_BuilderSettings 0x40ebc:$b1: get_BuilderSettings 0x40b73:$b4: IClientAppHost 0x40f2d:$b6: AddHostEntry 0x33f6a:$b7: LogClientException 0x40f9c:$b7: LogClientException 0x40f11:$b8: PipeExists 0x40b60:$b9: IClientLoggingHost
00000006.00000002.2302209097.0000000003001000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x40a8f:$a: NanoCore 0x40ae8:$a: NanoCore 0x40b25:$a: NanoCore 0x40b9e:$a: NanoCore 0x40af1:$b: ClientPlugin 0x40b2e:$b: ClientPlugin 0x4142c:$b: ClientPlugin 0x41439:$b: ClientPlugin 0x38806:$e: KeepAlive 0x40f79:$g: LogClientMessage 0x40ef9:$i: get_Connected 0x32ac1:$j: #=q 0x32af1:$j: #=q 0x32b2d:$j: #=q 0x32b55:$j: #=q 0x32b85:$j: #=q 0x32bb5:$j: #=q 0x32be5:$j: #=q 0x32c15:$j: #=q 0x32c31:$j: #=q 0x32c61:$j: #=q
00000000.00000002.3187385566.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x194a9:$a1: NanoCore.ClientPluginHost 0x1946c:$a2: NanoCore.ClientPlugin 0x19840:$b1: get_BuilderSettings 0x194f7:$b4: IClientAppHost 0x198b1:$b6: AddHostEntry 0x19920:$b7: LogClientException 0x19895:$b8: PipeExists 0x194e4:$b9: IClientLoggingHost
Process Memory Space: MSystem32.exe PID: 6708	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: MSystem32.exe PID: 6708	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb626:$a1: NanoCore.ClientPluginHost 0x25aa4:$a1: NanoCore.ClientPluginHost 0x37112:$a1: NanoCore.ClientPluginHost 0x46221:$a1: NanoCore.ClientPluginHost 0xb5e6:$a2: NanoCore.ClientPlugin 0x25a6f:$a2: NanoCore.ClientPlugin 0x370d5:$a2: NanoCore.ClientPlugin 0x461e4:$a2: NanoCore.ClientPlugin 0xd4fd:$b1: get_BuilderSettings 0x2a876:$b1: get_BuilderSettings 0x3748c:$b1: get_BuilderSettings 0x46587:$b1: get_BuilderSettings 0xb3a7:$b2: ClientLoaderForm.resources 0xcc1d:$b3: PluginCommand 0xb617:$b4: IClientAppHost 0x37160:$b4: IClientAppHost 0x4626f:$b4: IClientAppHost 0x15a50:$b5: GetBlockHash 0xdb55:$b6: AddHostEntry 0x18c74:$b6: AddHostEntry 0x374fd:$b6: AddHostEntry
Process Memory Space: MSystem32.exe PID: 6708	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb2f3:$a: NanoCore 0xb303:$a: NanoCore 0xb3c2:$a: NanoCore 0xb3d1:$a: NanoCore 0xb5d2:$a: NanoCore 0xb5e6:$a: NanoCore 0xb626:$a: NanoCore 0x16844:$a: NanoCore 0x16856:$a: NanoCore 0x16892:$a: NanoCore 0x25a5a:$a: NanoCore 0x25a6f:$a: NanoCore 0x25aa4:$a: NanoCore 0x2ac26:$a: NanoCore 0x2ac39:$a: NanoCore 0x2ac6b:$a: NanoCore 0x3707c:$a: NanoCore 0x370d5:$a: NanoCore 0x37112:$a: NanoCore 0x3718b:$a: NanoCore 0x37a44:$a: NanoCore
Process Memory Space: MSystem32.exe PID: 6708	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb626:$x1: NanoCore.ClientPluginHost 0x25aa4:$x1: NanoCore.ClientPluginHost 0x37112:$x1: NanoCore.ClientPluginHost 0x46221:$x1: NanoCore.ClientPluginHost 0xb663:$x2: IClientNetworkHost 0x25ad1:$x2: IClientNetworkHost 0x3712c:$x2: IClientNetworkHost 0x4623b:$x2: IClientNetworkHost 0xf154:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1a1da:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: MSystem32.exe PID: 6708	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xb2f3:$v1: NanoCore Client 0xb303:$v1: NanoCore Client 0xb3c2:$v1: NanoCore Client 0xb3d1:$v1: NanoCore Client 0x402ca:$v1: NanoCore Client 0x402de:$v1: NanoCore Client 0x403a8:$v1: NanoCore Client 0x63dcc:$v1: NanoCore Client 0xcc1d:$v2: PluginCommand 0x17db6:$v2: PluginCommand 0xcc05:$v3: CommandType 0x17da0:$v3: CommandType 0x268fd:$v3: CommandType 0x2baf9:$v3: CommandType
Process Memory Space: MSystem32.exe PID: 5688	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: MSystem32.exe PID: 5688	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4da8:$a1: NanoCore.ClientPluginHost 0x27497:$a1: NanoCore.ClientPluginHost 0x4d6b:$a2: NanoCore.ClientPlugin 0x2745a:$a2: NanoCore.ClientPlugin 0x5122:$b1: get_BuilderSettings 0x20c3b:$b1: get_BuilderSettings 0x4df6:$b4: IClientAppHost 0x274e5:$b4: IClientAppHost 0x5193:$b6: AddHostEntry 0x277f0:$b6: AddHostEntry 0x5202:$b7: LogClientException 0x20baa:$b7: LogClientException 0x5177:$b8: PipeExists 0x277d4:$b8: PipeExists 0x4de3:$b9: IClientLoggingHost 0x274d2:$b9: IClientLoggingHost
Process Memory Space: MSystem32.exe PID: 5688	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2068:$a: NanoCore 0x4d12:$a: NanoCore 0x4d6b:$a: NanoCore 0x4da8:$a: NanoCore 0x4e21:$a: NanoCore 0x56da:$a: NanoCore 0x572d:$a: NanoCore 0x5766:$a: NanoCore 0x57d9:$a: NanoCore 0xcdab:$a: NanoCore 0xcdbe:$a: NanoCore 0xcdf0:$a: NanoCore 0x12ada:$a: NanoCore 0x12aed:$a: NanoCore 0x12b1f:$a: NanoCore 0x1b29e:$a: NanoCore 0x1b30d:$a: NanoCore 0x1b397:$a: NanoCore 0x27401:$a: NanoCore 0x2745a:$a: NanoCore 0x27497:$a: NanoCore
Process Memory Space: dnshost.exe PID: 5632	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dnshost.exe PID: 5632	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf5f7:$a1: NanoCore.ClientPluginHost 0xf5ba:$a2: NanoCore.ClientPlugin 0x8da1:$b1: get_BuilderSettings 0xf645:$b4: IClientAppHost 0xf950:$b6: AddHostEntry 0x8d10:$b7: LogClientException 0xf934:$b8: PipeExists 0xf632:$b9: IClientLoggingHost
Process Memory Space: dnshost.exe PID: 5632	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x33de:$a: NanoCore 0x344d:$a: NanoCore 0x34e4:$a: NanoCore 0xf561:$a: NanoCore 0xf5ba:$a: NanoCore 0xf5f7:$a: NanoCore 0xf670:$a: NanoCore 0xfdfc:$a: NanoCore 0xfe4f:$a: NanoCore 0xfe88:$a: NanoCore 0xfefb:$a: NanoCore 0x10b52:$a: NanoCore 0x13270:$a: NanoCore 0x13284:$a: NanoCore 0x1330f:$a: NanoCore 0x125d:$b: ClientPlugin 0x129e:$b: ClientPlugin 0xa930:$b: ClientPlugin 0xa971:$b: ClientPlugin 0xf5c3:$b: ClientPlugin 0xf600:$b: ClientPlugin
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.MSystem32.exe.5a00000.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
0.2.MSystem32.exe.5a00000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
0.2.MSystem32.exe.5a00000.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
0.2.MSystem32.exe.5c90000.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.MSystem32.exe.5c90000.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
0.2.MSystem32.exe.5c90000.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
0.2.MSystem32.exe.5c90000.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
0.2.MSystem32.exe.5c94629.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.MSystem32.exe.5c94629.5.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost
0.2.MSystem32.exe.5c94629.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
0.2.MSystem32.exe.5c94629.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
7.2.dnshost.exe.2dc0d88.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
7.2.dnshost.exe.2dc0d88.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
7.2.dnshost.exe.2dc0d88.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
6.2.MSystem32.exe.404eae4.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.MSystem32.exe.404eae4.1.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
6.2.MSystem32.exe.404eae4.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
6.2.MSystem32.exe.404eae4.1.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
0.2.MSystem32.exe.5c90000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.MSystem32.exe.5c90000.4.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
0.2.MSystem32.exe.5c90000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
0.2.MSystem32.exe.5c90000.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
6.2.MSystem32.exe.405310d.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.MSystem32.exe.405310d.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0x24170:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x2413b:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x290b6:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0x29025:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost 0x2418a:$b9: IClientLoggingHost
6.2.MSystem32.exe.405310d.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24170:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x2419d:$x2: IClientNetworkHost
6.2.MSystem32.exe.405310d.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0x2413b:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0x24170:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0x2412f:$i2: IClientData 0xb165:$i3: IClientNetwork 0x24151:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0x24160:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0x2418a:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0x2419d:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0x241b0:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0x241be:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0x241da:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin
6.2.MSystem32.exe.3040cb0.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
6.2.MSystem32.exe.3040cb0.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
6.2.MSystem32.exe.3040cb0.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
6.2.MSystem32.exe.404eae4.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.MSystem32.exe.404eae4.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0x28799:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x28764:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x2d6df:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0x2d64e:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost 0x287b3:$b9: IClientLoggingHost
6.2.MSystem32.exe.404eae4.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28799:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287c6:$x2: IClientNetworkHost
6.2.MSystem32.exe.404eae4.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0x28764:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0x28799:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0x28758:$i2: IClientData 0xf78e:$i3: IClientNetwork 0x2877a:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0x28789:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0x287b3:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0x287c6:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0x287d9:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0x287e7:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0x28803:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin
0.0.MSystem32.exe.950000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.0.MSystem32.exe.950000.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
0.0.MSystem32.exe.950000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.0.MSystem32.exe.950000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.0.MSystem32.exe.950000.0.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xfef5:$v1: NanoCore Client 0xff05:$v1: NanoCore Client 0x117c6:$v2: PluginCommand 0x117ae:$v3: CommandType
0.0.MSystem32.exe.950000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
6.2.MSystem32.exe.4049cae.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.MSystem32.exe.4049cae.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x145e3:$a1: NanoCore.ClientPluginHost 0x2d5cf:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x145ae:$a2: NanoCore.ClientPlugin 0x2d59a:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0x19529:$b1: get_BuilderSettings 0x32515:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x19498:$b7: LogClientException 0x32484:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost 0x145fd:$b9: IClientLoggingHost 0x2d5e9:$b9: IClientLoggingHost
6.2.MSystem32.exe.4049cae.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d585:$a: NanoCore 0x2d59a:$a: NanoCore 0x2d5cf:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d341:$b: ClientPlugin 0x2d35c:$b: ClientPlugin
6.2.MSystem32.exe.4049cae.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5cf:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d5fc:$x2: IClientNetworkHost
6.2.MSystem32.exe.4049cae.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x145ae:$x2: NanoCore.ClientPlugin 0x2d59a:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x145e3:$x3: NanoCore.ClientPluginHost 0x2d5cf:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0x145a2:$i2: IClientData 0x2d58e:$i2: IClientData 0xe29:$i3: IClientNetwork 0x145c4:$i3: IClientNetwork 0x2d5b0:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0x145d3:$i5: IClientDataHost 0x2d5bf:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0x145fd:$i6: IClientLoggingHost 0x2d5e9:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost
0.2.MSystem32.exe.2fc9634.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
0.2.MSystem32.exe.2fc9634.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
0.2.MSystem32.exe.2fc9634.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
Click to see the 42 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\MSystem32.exe, ProcessId: 6708, TargetFilename: C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\MSystem32.exe, ProcessId: 6708, TargetFilename: C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

System Summary

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmp5FB6.tmp", CommandLine: "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmp5FB6.tmp", CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\MSystem32.exe", ParentImage: C:\Users\user\Desktop\MSystem32.exe, ParentProcessId: 6708, ParentProcessName: MSystem32.exe, ProcessCommandLine: "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmp5FB6.tmp", ProcessId: 2632, ProcessName: schtasks.exe

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Program Files (x86)\DNS Host\dnshost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\MSystem32.exe, ProcessId: 6708, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DNS Host

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmp5FB6.tmp", CommandLine: "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmp5FB6.tmp", CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\MSystem32.exe", ParentImage: C:\Users\user\Desktop\MSystem32.exe, ParentProcessId: 6708, ParentProcessName: MSystem32.exe, ProcessCommandLine: "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmp5FB6.tmp", ProcessId: 2632, ProcessName: schtasks.exe

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\MSystem32.exe, ProcessId: 6708, TargetFilename: C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\MSystem32.exe, ProcessId: 6708, TargetFilename: C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

Suricata Signatures

ET MALWARE NanoCore RAT CnC 7

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-22T06:57:07.940201+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49739	90.113.179.93	9033	TCP
2025-01-22T06:57:08.064794+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49739	90.113.179.93	9033	TCP
2025-01-22T06:57:08.127336+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49739	90.113.179.93	9033	TCP
2025-01-22T06:57:08.252221+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49739	90.113.179.93	9033	TCP
2025-01-22T06:57:08.377222+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49739	90.113.179.93	9033	TCP
2025-01-22T06:57:08.515442+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49739	90.113.179.93	9033	TCP
2025-01-22T06:57:08.585268+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49739	90.113.179.93	9033	TCP
2025-01-22T06:57:08.716442+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49739	90.113.179.93	9033	TCP
2025-01-22T06:57:08.830332+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49739	90.113.179.93	9033	TCP
2025-01-22T06:57:13.076818+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49780	90.113.179.93	9033	TCP
2025-01-22T06:57:13.233859+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49780	90.113.179.93	9033	TCP
2025-01-22T06:57:13.361546+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49780	90.113.179.93	9033	TCP
2025-01-22T06:57:13.424270+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49780	90.113.179.93	9033	TCP
2025-01-22T06:57:13.549238+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49780	90.113.179.93	9033	TCP
2025-01-22T06:57:13.674102+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49780	90.113.179.93	9033	TCP
2025-01-22T06:57:13.799163+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49780	90.113.179.93	9033	TCP
2025-01-22T06:57:13.869144+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49780	90.113.179.93	9033	TCP
2025-01-22T06:57:14.002767+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49780	90.113.179.93	9033	TCP
2025-01-22T06:57:14.127355+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49780	90.113.179.93	9033	TCP
2025-01-22T06:57:14.252306+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49780	90.113.179.93	9033	TCP
2025-01-22T06:57:14.314712+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49780	90.113.179.93	9033	TCP
2025-01-22T06:57:14.439753+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49780	90.113.179.93	9033	TCP
2025-01-22T06:57:14.564722+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49780	90.113.179.93	9033	TCP
2025-01-22T06:57:14.689836+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49780	90.113.179.93	9033	TCP
2025-01-22T06:57:14.752281+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49780	90.113.179.93	9033	TCP
2025-01-22T06:57:18.939774+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49818	90.113.179.93	9033	TCP
2025-01-22T06:57:19.064815+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49818	90.113.179.93	9033	TCP
2025-01-22T06:57:19.189911+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49818	90.113.179.93	9033	TCP
2025-01-22T06:57:19.332464+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49818	90.113.179.93	9033	TCP
2025-01-22T06:57:19.396301+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49818	90.113.179.93	9033	TCP
2025-01-22T06:57:19.517911+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49818	90.113.179.93	9033	TCP
2025-01-22T06:57:19.643096+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49818	90.113.179.93	9033	TCP
2025-01-22T06:57:19.767971+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49818	90.113.179.93	9033	TCP
2025-01-22T06:57:19.830565+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49818	90.113.179.93	9033	TCP
2025-01-22T06:57:19.955618+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49818	90.113.179.93	9033	TCP
2025-01-22T06:57:20.080383+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49818	90.113.179.93	9033	TCP
2025-01-22T06:57:20.205789+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49818	90.113.179.93	9033	TCP
2025-01-22T06:57:20.268208+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49818	90.113.179.93	9033	TCP
2025-01-22T06:57:20.393181+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49818	90.113.179.93	9033	TCP
2025-01-22T06:57:20.518744+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49818	90.113.179.93	9033	TCP
2025-01-22T06:57:20.643057+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49818	90.113.179.93	9033	TCP
2025-01-22T06:57:24.816035+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49859	90.113.178.145	9033	TCP
2025-01-22T06:57:24.877355+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49859	90.113.178.145	9033	TCP
2025-01-22T06:57:25.002245+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49859	90.113.178.145	9033	TCP
2025-01-22T06:57:25.127236+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49859	90.113.178.145	9033	TCP
2025-01-22T06:57:25.252855+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49859	90.113.178.145	9033	TCP
2025-01-22T06:57:25.377223+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49859	90.113.178.145	9033	TCP
2025-01-22T06:57:25.439726+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49859	90.113.178.145	9033	TCP
2025-01-22T06:57:25.564794+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49859	90.113.178.145	9033	TCP
2025-01-22T06:57:25.689865+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49859	90.113.178.145	9033	TCP
2025-01-22T06:57:25.815080+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49859	90.113.178.145	9033	TCP
2025-01-22T06:57:25.888510+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49859	90.113.178.145	9033	TCP
2025-01-22T06:57:26.006676+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49859	90.113.178.145	9033	TCP
2025-01-22T06:57:26.127241+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49859	90.113.178.145	9033	TCP
2025-01-22T06:57:26.189737+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49859	90.113.178.145	9033	TCP
2025-01-22T06:57:26.314996+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49859	90.113.178.145	9033	TCP
2025-01-22T06:57:26.439813+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49859	90.113.178.145	9033	TCP
2025-01-22T06:57:26.564783+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49859	90.113.178.145	9033	TCP
2025-01-22T06:57:30.705504+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49905	90.113.178.145	9033	TCP
2025-01-22T06:57:30.830426+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49905	90.113.178.145	9033	TCP
2025-01-22T06:57:30.955852+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49905	90.113.178.145	9033	TCP
2025-01-22T06:57:31.080783+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49905	90.113.178.145	9033	TCP
2025-01-22T06:57:31.142819+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49905	90.113.178.145	9033	TCP
2025-01-22T06:57:31.267878+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49905	90.113.178.145	9033	TCP
2025-01-22T06:57:31.393057+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49905	90.113.178.145	9033	TCP
2025-01-22T06:57:31.455469+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49905	90.113.178.145	9033	TCP
2025-01-22T06:57:31.580341+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49905	90.113.178.145	9033	TCP
2025-01-22T06:57:31.709472+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49905	90.113.178.145	9033	TCP
2025-01-22T06:57:31.830751+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49905	90.113.178.145	9033	TCP
2025-01-22T06:57:31.956197+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49905	90.113.178.145	9033	TCP
2025-01-22T06:57:32.021199+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49905	90.113.178.145	9033	TCP
2025-01-22T06:57:32.159234+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49905	90.113.178.145	9033	TCP
2025-01-22T06:57:32.288900+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49905	90.113.178.145	9033	TCP
2025-01-22T06:57:32.509128+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49905	90.113.178.145	9033	TCP
2025-01-22T06:57:36.627277+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49952	90.113.178.145	9033	TCP
2025-01-22T06:57:36.752277+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49952	90.113.178.145	9033	TCP
2025-01-22T06:57:36.814762+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49952	90.113.178.145	9033	TCP
2025-01-22T06:57:36.941334+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49952	90.113.178.145	9033	TCP
2025-01-22T06:57:37.064744+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49952	90.113.178.145	9033	TCP
2025-01-22T06:57:37.190769+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49952	90.113.178.145	9033	TCP
2025-01-22T06:57:37.252413+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49952	90.113.178.145	9033	TCP
2025-01-22T06:57:37.377605+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49952	90.113.178.145	9033	TCP
2025-01-22T06:57:37.502393+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49952	90.113.178.145	9033	TCP
2025-01-22T06:57:37.627365+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49952	90.113.178.145	9033	TCP
2025-01-22T06:57:37.752261+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49952	90.113.178.145	9033	TCP
2025-01-22T06:57:37.814850+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49952	90.113.178.145	9033	TCP
2025-01-22T06:57:37.947865+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49952	90.113.178.145	9033	TCP
2025-01-22T06:57:38.081334+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49952	90.113.178.145	9033	TCP
2025-01-22T06:57:38.145358+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49952	90.113.178.145	9033	TCP
2025-01-22T06:57:38.304196+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49952	90.113.178.145	9033	TCP
2025-01-22T06:57:38.566637+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49952	90.113.178.145	9033	TCP
2025-01-22T06:57:42.846118+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49993	90.113.179.93	9033	TCP
2025-01-22T06:57:42.908600+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49993	90.113.179.93	9033	TCP
2025-01-22T06:57:43.033516+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49993	90.113.179.93	9033	TCP
2025-01-22T06:57:43.158507+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49993	90.113.179.93	9033	TCP
2025-01-22T06:57:43.283505+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49993	90.113.179.93	9033	TCP
2025-01-22T06:57:43.345990+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49993	90.113.179.93	9033	TCP
2025-01-22T06:57:43.471233+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49993	90.113.179.93	9033	TCP
2025-01-22T06:57:43.596038+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49993	90.113.179.93	9033	TCP
2025-01-22T06:57:43.721019+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49993	90.113.179.93	9033	TCP
2025-01-22T06:57:43.846132+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49993	90.113.179.93	9033	TCP
2025-01-22T06:57:43.908698+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49993	90.113.179.93	9033	TCP
2025-01-22T06:57:44.034296+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49993	90.113.179.93	9033	TCP
2025-01-22T06:57:44.158649+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49993	90.113.179.93	9033	TCP
2025-01-22T06:57:44.283622+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49993	90.113.179.93	9033	TCP
2025-01-22T06:57:44.408526+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49993	90.113.179.93	9033	TCP
2025-01-22T06:57:44.483290+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	49993	90.113.179.93	9033	TCP
2025-01-22T06:57:48.674072+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50009	90.113.179.93	9033	TCP
2025-01-22T06:57:48.799168+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50009	90.113.179.93	9033	TCP
2025-01-22T06:57:48.861709+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50009	90.113.179.93	9033	TCP
2025-01-22T06:57:48.986754+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50009	90.113.179.93	9033	TCP
2025-01-22T06:57:49.112144+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50009	90.113.179.93	9033	TCP
2025-01-22T06:57:49.237036+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50009	90.113.179.93	9033	TCP
2025-01-22T06:57:49.299128+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50009	90.113.179.93	9033	TCP
2025-01-22T06:57:49.424114+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50009	90.113.179.93	9033	TCP
2025-01-22T06:57:49.549247+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50009	90.113.179.93	9033	TCP
2025-01-22T06:57:49.612246+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50009	90.113.179.93	9033	TCP
2025-01-22T06:57:49.745873+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50009	90.113.179.93	9033	TCP
2025-01-22T06:57:49.878847+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50009	90.113.179.93	9033	TCP
2025-01-22T06:57:49.939854+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50009	90.113.179.93	9033	TCP
2025-01-22T06:57:50.084143+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50009	90.113.179.93	9033	TCP
2025-01-22T06:57:50.262019+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50009	90.113.179.93	9033	TCP
2025-01-22T06:57:50.359678+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50009	90.113.179.93	9033	TCP
2025-01-22T06:57:50.441201+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50009	90.113.179.93	9033	TCP
2025-01-22T06:57:54.627358+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50010	90.113.179.93	9033	TCP
2025-01-22T06:57:54.736734+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50010	90.113.179.93	9033	TCP
2025-01-22T06:57:54.846038+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50010	90.113.179.93	9033	TCP
2025-01-22T06:57:54.908661+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50010	90.113.179.93	9033	TCP
2025-01-22T06:57:55.018192+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50010	90.113.179.93	9033	TCP
2025-01-22T06:57:55.127422+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50010	90.113.179.93	9033	TCP
2025-01-22T06:57:55.237469+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50010	90.113.179.93	9033	TCP
2025-01-22T06:57:55.283933+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50010	90.113.179.93	9033	TCP
2025-01-22T06:57:55.395219+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50010	90.113.179.93	9033	TCP
2025-01-22T06:57:55.502347+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50010	90.113.179.93	9033	TCP
2025-01-22T06:57:55.565037+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50010	90.113.179.93	9033	TCP
2025-01-22T06:57:55.674242+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50010	90.113.179.93	9033	TCP
2025-01-22T06:57:55.784195+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50010	90.113.179.93	9033	TCP
2025-01-22T06:57:55.938982+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50010	90.113.179.93	9033	TCP
2025-01-22T06:57:55.994355+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50010	90.113.179.93	9033	TCP
2025-01-22T06:57:56.132125+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50010	90.113.179.93	9033	TCP
2025-01-22T06:58:00.252216+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50014	90.113.178.145	9033	TCP
2025-01-22T06:58:00.371634+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50014	90.113.178.145	9033	TCP
2025-01-22T06:58:00.424350+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50014	90.113.178.145	9033	TCP
2025-01-22T06:58:00.470998+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50014	90.113.178.145	9033	TCP
2025-01-22T06:58:00.565231+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50014	90.113.178.145	9033	TCP
2025-01-22T06:58:00.658580+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50014	90.113.178.145	9033	TCP
2025-01-22T06:58:00.718300+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50014	90.113.178.145	9033	TCP
2025-01-22T06:58:00.815004+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50014	90.113.178.145	9033	TCP
2025-01-22T06:58:00.861598+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50014	90.113.178.145	9033	TCP
2025-01-22T06:58:00.964570+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50014	90.113.178.145	9033	TCP
2025-01-22T06:58:01.036449+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50014	90.113.178.145	9033	TCP
2025-01-22T06:58:01.334395+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50014	90.113.178.145	9033	TCP
2025-01-22T06:58:01.378083+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50014	90.113.178.145	9033	TCP
2025-01-22T06:58:01.473464+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50014	90.113.178.145	9033	TCP
2025-01-22T06:58:01.580603+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50014	90.113.178.145	9033	TCP
2025-01-22T06:58:01.627385+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50014	90.113.178.145	9033	TCP
2025-01-22T06:58:01.721257+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50014	90.113.178.145	9033	TCP
2025-01-22T06:58:05.851263+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50015	90.113.178.145	9033	TCP
2025-01-22T06:58:05.895216+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50015	90.113.178.145	9033	TCP
2025-01-22T06:58:05.955450+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50015	90.113.178.145	9033	TCP
2025-01-22T06:58:06.033688+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50015	90.113.178.145	9033	TCP
2025-01-22T06:58:06.080603+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50015	90.113.178.145	9033	TCP
2025-01-22T06:58:06.158683+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50015	90.113.178.145	9033	TCP
2025-01-22T06:58:06.190474+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50015	90.113.178.145	9033	TCP
2025-01-22T06:58:06.268185+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50015	90.113.178.145	9033	TCP
2025-01-22T06:58:06.315001+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50015	90.113.178.145	9033	TCP
2025-01-22T06:58:06.377730+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50015	90.113.178.145	9033	TCP
2025-01-22T06:58:06.471339+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50015	90.113.178.145	9033	TCP
2025-01-22T06:58:06.502752+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50015	90.113.178.145	9033	TCP
2025-01-22T06:58:06.580714+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50015	90.113.178.145	9033	TCP
2025-01-22T06:58:06.643232+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50015	90.113.178.145	9033	TCP
2025-01-22T06:58:06.705541+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50015	90.113.178.145	9033	TCP
2025-01-22T06:58:06.752415+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50015	90.113.178.145	9033	TCP
2025-01-22T06:58:10.846187+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50016	90.113.178.145	9033	TCP
2025-01-22T06:58:10.877360+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50016	90.113.178.145	9033	TCP
2025-01-22T06:58:10.940020+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50016	90.113.178.145	9033	TCP
2025-01-22T06:58:10.971078+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50016	90.113.178.145	9033	TCP
2025-01-22T06:58:11.033695+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50016	90.113.178.145	9033	TCP
2025-01-22T06:58:11.080483+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50016	90.113.178.145	9033	TCP
2025-01-22T06:58:11.111659+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50016	90.113.178.145	9033	TCP
2025-01-22T06:58:11.174424+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50016	90.113.178.145	9033	TCP
2025-01-22T06:58:11.205402+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50016	90.113.178.145	9033	TCP
2025-01-22T06:58:11.236875+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50016	90.113.178.145	9033	TCP
2025-01-22T06:58:11.299326+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50016	90.113.178.145	9033	TCP
2025-01-22T06:58:11.330597+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50016	90.113.178.145	9033	TCP
2025-01-22T06:58:11.393148+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50016	90.113.178.145	9033	TCP
2025-01-22T06:58:11.424340+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50016	90.113.178.145	9033	TCP
2025-01-22T06:58:11.486904+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50016	90.113.178.145	9033	TCP
2025-01-22T06:58:11.518100+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50016	90.113.178.145	9033	TCP
2025-01-22T06:58:15.616368+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50017	90.113.179.93	9033	TCP
2025-01-22T06:58:19.678582+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50018	90.113.179.93	9033	TCP
2025-01-22T06:58:19.690031+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50018	90.113.179.93	9033	TCP
2025-01-22T06:58:23.752840+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50019	90.113.179.93	9033	TCP
2025-01-22T06:58:23.771266+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50019	90.113.179.93	9033	TCP
2025-01-22T06:58:27.817660+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50020	90.113.178.145	9033	TCP
2025-01-22T06:58:27.833579+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50020	90.113.178.145	9033	TCP
2025-01-22T06:58:32.007943+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50022	90.113.178.145	9033	TCP
2025-01-22T06:58:32.126411+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50022	90.113.178.145	9033	TCP
2025-01-22T06:58:32.155475+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50022	90.113.178.145	9033	TCP
2025-01-22T06:58:32.191453+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50022	90.113.178.145	9033	TCP
2025-01-22T06:58:32.207978+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50022	90.113.178.145	9033	TCP
2025-01-22T06:58:32.223023+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50022	90.113.178.145	9033	TCP
2025-01-22T06:58:32.259337+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50022	90.113.178.145	9033	TCP
2025-01-22T06:58:36.302070+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50025	90.113.178.145	9033	TCP
2025-01-22T06:58:36.315252+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50025	90.113.178.145	9033	TCP
2025-01-22T06:58:36.330601+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.6	50025	90.113.178.145	9033	TCP

ETPRO MALWARE NanoCore RAT CnC 19

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-22T06:57:07.940201+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49739	90.113.179.93	9033	TCP
2025-01-22T06:57:08.064794+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49739	90.113.179.93	9033	TCP
2025-01-22T06:57:08.127336+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49739	90.113.179.93	9033	TCP
2025-01-22T06:57:08.252221+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49739	90.113.179.93	9033	TCP
2025-01-22T06:57:08.377222+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49739	90.113.179.93	9033	TCP
2025-01-22T06:57:08.515442+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49739	90.113.179.93	9033	TCP
2025-01-22T06:57:08.585268+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49739	90.113.179.93	9033	TCP
2025-01-22T06:57:08.716442+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49739	90.113.179.93	9033	TCP
2025-01-22T06:57:08.830332+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49739	90.113.179.93	9033	TCP
2025-01-22T06:57:13.076818+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49780	90.113.179.93	9033	TCP
2025-01-22T06:57:13.233859+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49780	90.113.179.93	9033	TCP
2025-01-22T06:57:13.361546+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49780	90.113.179.93	9033	TCP
2025-01-22T06:57:13.424270+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49780	90.113.179.93	9033	TCP
2025-01-22T06:57:13.549238+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49780	90.113.179.93	9033	TCP
2025-01-22T06:57:13.674102+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49780	90.113.179.93	9033	TCP
2025-01-22T06:57:13.799163+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49780	90.113.179.93	9033	TCP
2025-01-22T06:57:13.869144+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49780	90.113.179.93	9033	TCP
2025-01-22T06:57:14.002767+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49780	90.113.179.93	9033	TCP
2025-01-22T06:57:14.127355+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49780	90.113.179.93	9033	TCP
2025-01-22T06:57:14.252306+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49780	90.113.179.93	9033	TCP
2025-01-22T06:57:14.314712+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49780	90.113.179.93	9033	TCP
2025-01-22T06:57:14.439753+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49780	90.113.179.93	9033	TCP
2025-01-22T06:57:14.564722+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49780	90.113.179.93	9033	TCP
2025-01-22T06:57:14.689836+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49780	90.113.179.93	9033	TCP
2025-01-22T06:57:14.752281+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49780	90.113.179.93	9033	TCP
2025-01-22T06:57:18.939774+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49818	90.113.179.93	9033	TCP
2025-01-22T06:57:19.064815+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49818	90.113.179.93	9033	TCP
2025-01-22T06:57:19.189911+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49818	90.113.179.93	9033	TCP
2025-01-22T06:57:19.332464+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49818	90.113.179.93	9033	TCP
2025-01-22T06:57:19.396301+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49818	90.113.179.93	9033	TCP
2025-01-22T06:57:19.517911+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49818	90.113.179.93	9033	TCP
2025-01-22T06:57:19.643096+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49818	90.113.179.93	9033	TCP
2025-01-22T06:57:19.767971+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49818	90.113.179.93	9033	TCP
2025-01-22T06:57:19.830565+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49818	90.113.179.93	9033	TCP
2025-01-22T06:57:19.955618+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49818	90.113.179.93	9033	TCP
2025-01-22T06:57:20.080383+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49818	90.113.179.93	9033	TCP
2025-01-22T06:57:20.205789+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49818	90.113.179.93	9033	TCP
2025-01-22T06:57:20.268208+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49818	90.113.179.93	9033	TCP
2025-01-22T06:57:20.393181+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49818	90.113.179.93	9033	TCP
2025-01-22T06:57:20.518744+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49818	90.113.179.93	9033	TCP
2025-01-22T06:57:20.643057+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49818	90.113.179.93	9033	TCP
2025-01-22T06:57:24.816035+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49859	90.113.178.145	9033	TCP
2025-01-22T06:57:24.877355+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49859	90.113.178.145	9033	TCP
2025-01-22T06:57:25.002245+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49859	90.113.178.145	9033	TCP
2025-01-22T06:57:25.127236+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49859	90.113.178.145	9033	TCP
2025-01-22T06:57:25.252855+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49859	90.113.178.145	9033	TCP
2025-01-22T06:57:25.377223+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49859	90.113.178.145	9033	TCP
2025-01-22T06:57:25.439726+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49859	90.113.178.145	9033	TCP
2025-01-22T06:57:25.564794+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49859	90.113.178.145	9033	TCP
2025-01-22T06:57:25.689865+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49859	90.113.178.145	9033	TCP
2025-01-22T06:57:25.815080+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49859	90.113.178.145	9033	TCP
2025-01-22T06:57:25.888510+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49859	90.113.178.145	9033	TCP
2025-01-22T06:57:26.006676+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49859	90.113.178.145	9033	TCP
2025-01-22T06:57:26.127241+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49859	90.113.178.145	9033	TCP
2025-01-22T06:57:26.189737+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49859	90.113.178.145	9033	TCP
2025-01-22T06:57:26.314996+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49859	90.113.178.145	9033	TCP
2025-01-22T06:57:26.439813+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49859	90.113.178.145	9033	TCP
2025-01-22T06:57:26.564783+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49859	90.113.178.145	9033	TCP
2025-01-22T06:57:30.705504+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49905	90.113.178.145	9033	TCP
2025-01-22T06:57:30.830426+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49905	90.113.178.145	9033	TCP
2025-01-22T06:57:30.955852+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49905	90.113.178.145	9033	TCP
2025-01-22T06:57:31.080783+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49905	90.113.178.145	9033	TCP
2025-01-22T06:57:31.142819+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49905	90.113.178.145	9033	TCP
2025-01-22T06:57:31.267878+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49905	90.113.178.145	9033	TCP
2025-01-22T06:57:31.393057+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49905	90.113.178.145	9033	TCP
2025-01-22T06:57:31.455469+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49905	90.113.178.145	9033	TCP
2025-01-22T06:57:31.580341+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49905	90.113.178.145	9033	TCP
2025-01-22T06:57:31.709472+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49905	90.113.178.145	9033	TCP
2025-01-22T06:57:31.830751+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49905	90.113.178.145	9033	TCP
2025-01-22T06:57:31.956197+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49905	90.113.178.145	9033	TCP
2025-01-22T06:57:32.021199+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49905	90.113.178.145	9033	TCP
2025-01-22T06:57:32.159234+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49905	90.113.178.145	9033	TCP
2025-01-22T06:57:32.288900+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49905	90.113.178.145	9033	TCP
2025-01-22T06:57:32.509128+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49905	90.113.178.145	9033	TCP
2025-01-22T06:57:36.627277+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49952	90.113.178.145	9033	TCP
2025-01-22T06:57:36.752277+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49952	90.113.178.145	9033	TCP
2025-01-22T06:57:36.814762+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49952	90.113.178.145	9033	TCP
2025-01-22T06:57:36.941334+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49952	90.113.178.145	9033	TCP
2025-01-22T06:57:37.064744+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49952	90.113.178.145	9033	TCP
2025-01-22T06:57:37.190769+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49952	90.113.178.145	9033	TCP
2025-01-22T06:57:37.252413+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49952	90.113.178.145	9033	TCP
2025-01-22T06:57:37.377605+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49952	90.113.178.145	9033	TCP
2025-01-22T06:57:37.502393+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49952	90.113.178.145	9033	TCP
2025-01-22T06:57:37.627365+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49952	90.113.178.145	9033	TCP
2025-01-22T06:57:37.752261+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49952	90.113.178.145	9033	TCP
2025-01-22T06:57:37.814850+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49952	90.113.178.145	9033	TCP
2025-01-22T06:57:37.947865+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49952	90.113.178.145	9033	TCP
2025-01-22T06:57:38.081334+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49952	90.113.178.145	9033	TCP
2025-01-22T06:57:38.145358+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49952	90.113.178.145	9033	TCP
2025-01-22T06:57:38.304196+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49952	90.113.178.145	9033	TCP
2025-01-22T06:57:38.566637+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49952	90.113.178.145	9033	TCP
2025-01-22T06:57:42.846118+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49993	90.113.179.93	9033	TCP
2025-01-22T06:57:42.908600+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49993	90.113.179.93	9033	TCP
2025-01-22T06:57:43.033516+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49993	90.113.179.93	9033	TCP
2025-01-22T06:57:43.158507+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49993	90.113.179.93	9033	TCP
2025-01-22T06:57:43.283505+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49993	90.113.179.93	9033	TCP
2025-01-22T06:57:43.345990+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49993	90.113.179.93	9033	TCP
2025-01-22T06:57:43.471233+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49993	90.113.179.93	9033	TCP
2025-01-22T06:57:43.596038+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49993	90.113.179.93	9033	TCP
2025-01-22T06:57:43.721019+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49993	90.113.179.93	9033	TCP
2025-01-22T06:57:43.846132+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49993	90.113.179.93	9033	TCP
2025-01-22T06:57:43.908698+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49993	90.113.179.93	9033	TCP
2025-01-22T06:57:44.034296+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49993	90.113.179.93	9033	TCP
2025-01-22T06:57:44.158649+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49993	90.113.179.93	9033	TCP
2025-01-22T06:57:44.283622+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49993	90.113.179.93	9033	TCP
2025-01-22T06:57:44.408526+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49993	90.113.179.93	9033	TCP
2025-01-22T06:57:44.483290+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	49993	90.113.179.93	9033	TCP
2025-01-22T06:57:48.674072+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50009	90.113.179.93	9033	TCP
2025-01-22T06:57:48.799168+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50009	90.113.179.93	9033	TCP
2025-01-22T06:57:48.861709+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50009	90.113.179.93	9033	TCP
2025-01-22T06:57:48.986754+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50009	90.113.179.93	9033	TCP
2025-01-22T06:57:49.112144+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50009	90.113.179.93	9033	TCP
2025-01-22T06:57:49.237036+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50009	90.113.179.93	9033	TCP
2025-01-22T06:57:49.299128+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50009	90.113.179.93	9033	TCP
2025-01-22T06:57:49.424114+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50009	90.113.179.93	9033	TCP
2025-01-22T06:57:49.549247+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50009	90.113.179.93	9033	TCP
2025-01-22T06:57:49.612246+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50009	90.113.179.93	9033	TCP
2025-01-22T06:57:49.745873+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50009	90.113.179.93	9033	TCP
2025-01-22T06:57:49.878847+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50009	90.113.179.93	9033	TCP
2025-01-22T06:57:49.939854+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50009	90.113.179.93	9033	TCP
2025-01-22T06:57:50.084143+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50009	90.113.179.93	9033	TCP
2025-01-22T06:57:50.262019+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50009	90.113.179.93	9033	TCP
2025-01-22T06:57:50.359678+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50009	90.113.179.93	9033	TCP
2025-01-22T06:57:50.441201+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50009	90.113.179.93	9033	TCP
2025-01-22T06:57:54.627358+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50010	90.113.179.93	9033	TCP
2025-01-22T06:57:54.736734+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50010	90.113.179.93	9033	TCP
2025-01-22T06:57:54.846038+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50010	90.113.179.93	9033	TCP
2025-01-22T06:57:54.908661+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50010	90.113.179.93	9033	TCP
2025-01-22T06:57:55.018192+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50010	90.113.179.93	9033	TCP
2025-01-22T06:57:55.127422+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50010	90.113.179.93	9033	TCP
2025-01-22T06:57:55.237469+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50010	90.113.179.93	9033	TCP
2025-01-22T06:57:55.283933+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50010	90.113.179.93	9033	TCP
2025-01-22T06:57:55.395219+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50010	90.113.179.93	9033	TCP
2025-01-22T06:57:55.502347+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50010	90.113.179.93	9033	TCP
2025-01-22T06:57:55.565037+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50010	90.113.179.93	9033	TCP
2025-01-22T06:57:55.674242+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50010	90.113.179.93	9033	TCP
2025-01-22T06:57:55.784195+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50010	90.113.179.93	9033	TCP
2025-01-22T06:57:55.938982+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50010	90.113.179.93	9033	TCP
2025-01-22T06:57:55.994355+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50010	90.113.179.93	9033	TCP
2025-01-22T06:57:56.132125+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50010	90.113.179.93	9033	TCP
2025-01-22T06:58:00.252216+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50014	90.113.178.145	9033	TCP
2025-01-22T06:58:00.371634+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50014	90.113.178.145	9033	TCP
2025-01-22T06:58:00.424350+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50014	90.113.178.145	9033	TCP
2025-01-22T06:58:00.470998+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50014	90.113.178.145	9033	TCP
2025-01-22T06:58:00.565231+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50014	90.113.178.145	9033	TCP
2025-01-22T06:58:00.658580+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50014	90.113.178.145	9033	TCP
2025-01-22T06:58:00.718300+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50014	90.113.178.145	9033	TCP
2025-01-22T06:58:00.815004+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50014	90.113.178.145	9033	TCP
2025-01-22T06:58:00.861598+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50014	90.113.178.145	9033	TCP
2025-01-22T06:58:00.964570+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50014	90.113.178.145	9033	TCP
2025-01-22T06:58:01.036449+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50014	90.113.178.145	9033	TCP
2025-01-22T06:58:01.334395+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50014	90.113.178.145	9033	TCP
2025-01-22T06:58:01.378083+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50014	90.113.178.145	9033	TCP
2025-01-22T06:58:01.473464+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50014	90.113.178.145	9033	TCP
2025-01-22T06:58:01.580603+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50014	90.113.178.145	9033	TCP
2025-01-22T06:58:01.627385+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50014	90.113.178.145	9033	TCP
2025-01-22T06:58:01.721257+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50014	90.113.178.145	9033	TCP
2025-01-22T06:58:05.851263+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50015	90.113.178.145	9033	TCP
2025-01-22T06:58:05.895216+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50015	90.113.178.145	9033	TCP
2025-01-22T06:58:05.955450+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50015	90.113.178.145	9033	TCP
2025-01-22T06:58:06.033688+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50015	90.113.178.145	9033	TCP
2025-01-22T06:58:06.080603+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50015	90.113.178.145	9033	TCP
2025-01-22T06:58:06.158683+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50015	90.113.178.145	9033	TCP
2025-01-22T06:58:06.190474+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50015	90.113.178.145	9033	TCP
2025-01-22T06:58:06.268185+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50015	90.113.178.145	9033	TCP
2025-01-22T06:58:06.315001+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50015	90.113.178.145	9033	TCP
2025-01-22T06:58:06.377730+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50015	90.113.178.145	9033	TCP
2025-01-22T06:58:06.471339+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50015	90.113.178.145	9033	TCP
2025-01-22T06:58:06.502752+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50015	90.113.178.145	9033	TCP
2025-01-22T06:58:06.580714+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50015	90.113.178.145	9033	TCP
2025-01-22T06:58:06.643232+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50015	90.113.178.145	9033	TCP
2025-01-22T06:58:06.705541+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50015	90.113.178.145	9033	TCP
2025-01-22T06:58:06.752415+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50015	90.113.178.145	9033	TCP
2025-01-22T06:58:10.846187+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50016	90.113.178.145	9033	TCP
2025-01-22T06:58:10.877360+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50016	90.113.178.145	9033	TCP
2025-01-22T06:58:10.940020+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50016	90.113.178.145	9033	TCP
2025-01-22T06:58:10.971078+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50016	90.113.178.145	9033	TCP
2025-01-22T06:58:11.033695+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50016	90.113.178.145	9033	TCP
2025-01-22T06:58:11.080483+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50016	90.113.178.145	9033	TCP
2025-01-22T06:58:11.111659+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50016	90.113.178.145	9033	TCP
2025-01-22T06:58:11.174424+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50016	90.113.178.145	9033	TCP
2025-01-22T06:58:11.205402+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50016	90.113.178.145	9033	TCP
2025-01-22T06:58:11.236875+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50016	90.113.178.145	9033	TCP
2025-01-22T06:58:11.299326+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50016	90.113.178.145	9033	TCP
2025-01-22T06:58:11.330597+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50016	90.113.178.145	9033	TCP
2025-01-22T06:58:11.393148+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50016	90.113.178.145	9033	TCP
2025-01-22T06:58:11.424340+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50016	90.113.178.145	9033	TCP
2025-01-22T06:58:11.486904+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50016	90.113.178.145	9033	TCP
2025-01-22T06:58:11.518100+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50016	90.113.178.145	9033	TCP
2025-01-22T06:58:15.616368+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50017	90.113.179.93	9033	TCP
2025-01-22T06:58:19.678582+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50018	90.113.179.93	9033	TCP
2025-01-22T06:58:19.690031+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50018	90.113.179.93	9033	TCP
2025-01-22T06:58:23.752840+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50019	90.113.179.93	9033	TCP
2025-01-22T06:58:23.771266+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50019	90.113.179.93	9033	TCP
2025-01-22T06:58:27.817660+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50020	90.113.178.145	9033	TCP
2025-01-22T06:58:27.833579+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50020	90.113.178.145	9033	TCP
2025-01-22T06:58:32.007943+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50022	90.113.178.145	9033	TCP
2025-01-22T06:58:32.126411+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50022	90.113.178.145	9033	TCP
2025-01-22T06:58:32.155475+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50022	90.113.178.145	9033	TCP
2025-01-22T06:58:32.191453+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50022	90.113.178.145	9033	TCP
2025-01-22T06:58:32.207978+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50022	90.113.178.145	9033	TCP
2025-01-22T06:58:32.223023+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50022	90.113.178.145	9033	TCP
2025-01-22T06:58:32.259337+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50022	90.113.178.145	9033	TCP
2025-01-22T06:58:36.302070+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50025	90.113.178.145	9033	TCP
2025-01-22T06:58:36.315252+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50025	90.113.178.145	9033	TCP
2025-01-22T06:58:36.330601+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.6	50025	90.113.178.145	9033	TCP

ETPRO MALWARE NanoCore RAT Keep-Alive Beacon

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-22T06:57:13.076818+0100	2816718	1	A Network Trojan was detected	192.168.2.6	49780	90.113.179.93	9033	TCP
2025-01-22T06:58:23.752840+0100	2816718	1	A Network Trojan was detected	192.168.2.6	50019	90.113.179.93	9033	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: MSystem32.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files (x86)\DNS Host\dnshost.exe

Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7

Found malware configuration

Source: 00000006.00000002.2302298443.0000000004001000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "27f61c82-a893-4fbd-9acd-5df9ed98", "Group": "CustomRPC", "Domain1": "sulfux.ddns.net", "Domain2": "90.113.178.145", "Port": 9033, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DNS Host\dnshost.exe

ReversingLabs: Detection: 97%

Multi AV Scanner detection for submitted file

Source: MSystem32.exe	ReversingLabs: Detection: 97%
Source: MSystem32.exe	Virustotal: Detection: 88%			Perma Link

Yara detected Nanocore RAT

Source: Yara match	File source: MSystem32.exe, type: SAMPLE
Source: Yara match	File source: 0.2.MSystem32.exe.5c90000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MSystem32.exe.5c94629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSystem32.exe.404eae4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MSystem32.exe.5c90000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSystem32.exe.405310d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSystem32.exe.404eae4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.MSystem32.exe.950000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSystem32.exe.4049cae.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2302298443.0000000004001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3193422405.0000000005C90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2220370877.0000000000952000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2303284587.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2302209097.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSystem32.exe PID: 6708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSystem32.exe PID: 5688, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dnshost.exe PID: 5632, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\DNS Host\dnshost.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: MSystem32.exe

Joe Sandbox ML: detected

Source: MSystem32.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\MSystem32.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.6:49739 -> 90.113.179.93:9033
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.6:49739 -> 90.113.179.93:9033
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.6:49780 -> 90.113.179.93:9033
Source: Network traffic	Suricata IDS: 2816718 - Severity 1 - ETPRO MALWARE NanoCore RAT Keep-Alive Beacon : 192.168.2.6:49780 -> 90.113.179.93:9033
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.6:49780 -> 90.113.179.93:9033
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.6:49818 -> 90.113.179.93:9033
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.6:49818 -> 90.113.179.93:9033
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.6:49859 -> 90.113.178.145:9033
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.6:49859 -> 90.113.178.145:9033
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.6:49905 -> 90.113.178.145:9033
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.6:49905 -> 90.113.178.145:9033
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.6:49952 -> 90.113.178.145:9033
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.6:49952 -> 90.113.178.145:9033
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.6:49993 -> 90.113.179.93:9033
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.6:49993 -> 90.113.179.93:9033
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.6:50010 -> 90.113.179.93:9033
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.6:50014 -> 90.113.178.145:9033
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.6:50014 -> 90.113.178.145:9033
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.6:50016 -> 90.113.178.145:9033
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.6:50010 -> 90.113.179.93:9033
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.6:50017 -> 90.113.179.93:9033
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.6:50017 -> 90.113.179.93:9033
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.6:50018 -> 90.113.179.93:9033
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.6:50020 -> 90.113.178.145:9033
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.6:50020 -> 90.113.178.145:9033
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.6:50016 -> 90.113.178.145:9033
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.6:50022 -> 90.113.178.145:9033
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.6:50019 -> 90.113.179.93:9033
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.6:50018 -> 90.113.179.93:9033
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.6:50015 -> 90.113.178.145:9033
Source: Network traffic	Suricata IDS: 2816718 - Severity 1 - ETPRO MALWARE NanoCore RAT Keep-Alive Beacon : 192.168.2.6:50019 -> 90.113.179.93:9033
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.6:50022 -> 90.113.178.145:9033
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.6:50019 -> 90.113.179.93:9033
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.6:50015 -> 90.113.178.145:9033
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.6:50009 -> 90.113.179.93:9033
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.6:50009 -> 90.113.179.93:9033
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.6:50025 -> 90.113.178.145:9033
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.6:50025 -> 90.113.178.145:9033

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: sulfux.ddns.net
Source: Malware configuration extractor	URLs: 90.113.178.145

Uses dynamic DNS services

Source: unknown

DNS query: name: sulfux.ddns.net

Source: global traffic	TCP traffic: 192.168.2.6:49739 -> 90.113.179.93:9033
Source: global traffic	TCP traffic: 192.168.2.6:49859 -> 90.113.178.145:9033

Source: Joe Sandbox View

ASN Name: FranceTelecom-OrangeFR FranceTelecom-OrangeFR

Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145
Source: unknown	TCP traffic detected without corresponding DNS query: 90.113.178.145

Source: C:\Users\user\Desktop\MSystem32.exe

Code function: 0_2_05322D56 WSARecv,

0_2_05322D56

Source: global traffic

DNS traffic detected: DNS query: sulfux.ddns.net

Source: Amcache.hve.18.dr

String found in binary or memory: http://upx.sf.net

Source: MSystem32.exe, 00000000.00000002.3193422405.0000000005C90000.00000004.08000000.00040000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_4273dc7c-f

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: MSystem32.exe, type: SAMPLE
Source: Yara match	File source: 0.2.MSystem32.exe.5c90000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MSystem32.exe.5c94629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSystem32.exe.404eae4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MSystem32.exe.5c90000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSystem32.exe.405310d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSystem32.exe.404eae4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.MSystem32.exe.950000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSystem32.exe.4049cae.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2302298443.0000000004001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3193422405.0000000005C90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2220370877.0000000000952000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2303284587.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2302209097.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSystem32.exe PID: 6708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSystem32.exe PID: 5688, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dnshost.exe PID: 5632, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: MSystem32.exe, type: SAMPLE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: MSystem32.exe, type: SAMPLE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: MSystem32.exe, type: SAMPLE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: MSystem32.exe, type: SAMPLE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: MSystem32.exe, type: SAMPLE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.MSystem32.exe.5a00000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.MSystem32.exe.5a00000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.MSystem32.exe.5a00000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.MSystem32.exe.5c90000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.MSystem32.exe.5c90000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.MSystem32.exe.5c90000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.MSystem32.exe.5c94629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.MSystem32.exe.5c94629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.MSystem32.exe.5c94629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.2.dnshost.exe.2dc0d88.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.2.dnshost.exe.2dc0d88.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dnshost.exe.2dc0d88.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSystem32.exe.404eae4.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSystem32.exe.404eae4.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSystem32.exe.404eae4.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.MSystem32.exe.5c90000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.MSystem32.exe.5c90000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.MSystem32.exe.5c90000.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSystem32.exe.405310d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSystem32.exe.405310d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSystem32.exe.405310d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSystem32.exe.3040cb0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSystem32.exe.3040cb0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSystem32.exe.3040cb0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSystem32.exe.404eae4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSystem32.exe.404eae4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSystem32.exe.404eae4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.0.MSystem32.exe.950000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.0.MSystem32.exe.950000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.MSystem32.exe.950000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.0.MSystem32.exe.950000.0.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.MSystem32.exe.950000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSystem32.exe.4049cae.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSystem32.exe.4049cae.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.MSystem32.exe.4049cae.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSystem32.exe.4049cae.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.MSystem32.exe.2fc9634.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.MSystem32.exe.2fc9634.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.MSystem32.exe.2fc9634.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000006.00000002.2302298443.0000000004001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.2302298443.0000000004001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.3193422405.0000000005C90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.3193422405.0000000005C90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.3193422405.0000000005C90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000000.00000000.2220370877.0000000000952000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000000.2220370877.0000000000952000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000000.2220370877.0000000000952000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000000.2220370877.0000000000952000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2303284587.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000002.2303284587.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.3192183909.0000000005A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.3192183909.0000000005A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.3192183909.0000000005A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000006.00000002.2302209097.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.2302209097.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.3187385566.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: MSystem32.exe PID: 6708, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: MSystem32.exe PID: 6708, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MSystem32.exe PID: 6708, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: MSystem32.exe PID: 6708, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: MSystem32.exe PID: 5688, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: MSystem32.exe PID: 5688, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dnshost.exe PID: 5632, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: dnshost.exe PID: 5632, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPED	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPED	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPED	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPED	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPED	Matched rule: Detects NanoCore Author: ditekSHen

Source: C:\Users\user\Desktop\MSystem32.exe	Code function: 0_2_053232A2 NtQuerySystemInformation,		0_2_053232A2
Source: C:\Users\user\Desktop\MSystem32.exe	Code function: 0_2_05323267 NtQuerySystemInformation,		0_2_05323267

Source: C:\Users\user\Desktop\MSystem32.exe	Code function: 0_2_05158988	0_2_05158988
Source: C:\Users\user\Desktop\MSystem32.exe	Code function: 0_2_05153850	0_2_05153850
Source: C:\Users\user\Desktop\MSystem32.exe	Code function: 0_2_0515B098	0_2_0515B098
Source: C:\Users\user\Desktop\MSystem32.exe	Code function: 0_2_051523A0	0_2_051523A0
Source: C:\Users\user\Desktop\MSystem32.exe	Code function: 0_2_05152FA8	0_2_05152FA8
Source: C:\Users\user\Desktop\MSystem32.exe	Code function: 0_2_05159588	0_2_05159588
Source: C:\Users\user\Desktop\MSystem32.exe	Code function: 0_2_0515306F	0_2_0515306F
Source: C:\Users\user\Desktop\MSystem32.exe	Code function: 0_2_0515964F	0_2_0515964F
Source: C:\Users\user\Desktop\MSystem32.exe	Code function: 6_2_051D3850	6_2_051D3850
Source: C:\Users\user\Desktop\MSystem32.exe	Code function: 6_2_051D2FA8	6_2_051D2FA8
Source: C:\Users\user\Desktop\MSystem32.exe	Code function: 6_2_051D23A0	6_2_051D23A0
Source: C:\Users\user\Desktop\MSystem32.exe	Code function: 6_2_051D306F	6_2_051D306F
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 7_2_011E2FA8	7_2_011E2FA8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 7_2_011E23A0	7_2_011E23A0
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 7_2_011E306F	7_2_011E306F
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 8_2_00E223A0	8_2_00E223A0
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 8_2_00E22FA8	8_2_00E22FA8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 8_2_00E23850	8_2_00E23850
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 8_2_00E2306F	8_2_00E2306F

Source: C:\Users\user\Desktop\MSystem32.exe

Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1524

Source: MSystem32.exe, 00000000.00000002.3185244614.0000000000D5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs MSystem32.exe
Source: MSystem32.exe, 00000000.00000002.3193422405.0000000005C90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs MSystem32.exe
Source: MSystem32.exe, 00000000.00000002.3193422405.0000000005C90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs MSystem32.exe
Source: MSystem32.exe, 00000000.00000002.3188885400.0000000004030000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs MSystem32.exe
Source: MSystem32.exe, 00000000.00000002.3193526870.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs MSystem32.exe
Source: MSystem32.exe, 00000000.00000002.3192183909.0000000005A00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs MSystem32.exe
Source: MSystem32.exe, 00000000.00000002.3187385566.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs MSystem32.exe
Source: MSystem32.exe, 00000000.00000002.3188885400.0000000004017000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs MSystem32.exe
Source: MSystem32.exe, 00000006.00000002.2301866265.0000000001098000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs MSystem32.exe
Source: MSystem32.exe, 00000006.00000002.2302298443.0000000004001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs MSystem32.exe
Source: MSystem32.exe, 00000006.00000002.2302298443.0000000004001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs MSystem32.exe
Source: MSystem32.exe, 00000006.00000002.2302298443.0000000004001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs MSystem32.exe
Source: MSystem32.exe, 00000006.00000002.2302209097.0000000003001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs MSystem32.exe
Source: MSystem32.exe, 00000006.00000002.2302209097.0000000003001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs MSystem32.exe

Source: MSystem32.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: MSystem32.exe, type: SAMPLE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: MSystem32.exe, type: SAMPLE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: MSystem32.exe, type: SAMPLE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: MSystem32.exe, type: SAMPLE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: MSystem32.exe, type: SAMPLE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.MSystem32.exe.5a00000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.MSystem32.exe.5a00000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.MSystem32.exe.5a00000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.MSystem32.exe.5c90000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.MSystem32.exe.5c90000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.MSystem32.exe.5c90000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.MSystem32.exe.5c94629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.MSystem32.exe.5c94629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.MSystem32.exe.5c94629.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.2.dnshost.exe.2dc0d88.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.2.dnshost.exe.2dc0d88.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dnshost.exe.2dc0d88.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSystem32.exe.404eae4.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSystem32.exe.404eae4.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSystem32.exe.404eae4.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.MSystem32.exe.5c90000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.MSystem32.exe.5c90000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.MSystem32.exe.5c90000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSystem32.exe.405310d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSystem32.exe.405310d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSystem32.exe.405310d.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSystem32.exe.3040cb0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSystem32.exe.3040cb0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSystem32.exe.3040cb0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSystem32.exe.404eae4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSystem32.exe.404eae4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSystem32.exe.404eae4.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.0.MSystem32.exe.950000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.0.MSystem32.exe.950000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.0.MSystem32.exe.950000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.0.MSystem32.exe.950000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.MSystem32.exe.950000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSystem32.exe.4049cae.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSystem32.exe.4049cae.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.MSystem32.exe.4049cae.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSystem32.exe.4049cae.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.MSystem32.exe.2fc9634.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.MSystem32.exe.2fc9634.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.MSystem32.exe.2fc9634.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000006.00000002.2302298443.0000000004001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.2302298443.0000000004001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.3193422405.0000000005C90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.3193422405.0000000005C90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.3193422405.0000000005C90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000000.00000000.2220370877.0000000000952000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000000.2220370877.0000000000952000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000000.2220370877.0000000000952000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000000.2220370877.0000000000952000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2303284587.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000002.2303284587.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.3192183909.0000000005A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.3192183909.0000000005A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.3192183909.0000000005A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000006.00000002.2302209097.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.2302209097.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.3187385566.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: MSystem32.exe PID: 6708, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: MSystem32.exe PID: 6708, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: MSystem32.exe PID: 6708, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: MSystem32.exe PID: 6708, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: MSystem32.exe PID: 5688, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: MSystem32.exe PID: 5688, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dnshost.exe PID: 5632, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: dnshost.exe PID: 5632, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPED	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPED	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPED	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPED	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPED	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore

Source: MSystem32.exe, --qVxXNKnhAcArgJoGGYXiyyQ--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: MSystem32.exe, --qVxXNKnhAcArgJoGGYXiyyQ--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: MSystem32.exe, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: dnshost.exe.0.dr, --qVxXNKnhAcArgJoGGYXiyyQ--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: dnshost.exe.0.dr, --qVxXNKnhAcArgJoGGYXiyyQ--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: dnshost.exe.0.dr, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: MSystem32.exe, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: MSystem32.exe, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: dnshost.exe.0.dr, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: dnshost.exe.0.dr, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@12/12@9/2

Source: C:\Users\user\Desktop\MSystem32.exe	Code function: 0_2_05323062 AdjustTokenPrivileges,		0_2_05323062
Source: C:\Users\user\Desktop\MSystem32.exe	Code function: 0_2_0532302B AdjustTokenPrivileges,		0_2_0532302B

Source: C:\Users\user\Desktop\MSystem32.exe

File created: C:\Program Files (x86)\DNS Host

Jump to behavior

Source: C:\Users\user\Desktop\MSystem32.exe

File created: C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06

Jump to behavior

Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\MSystem32.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2404:120:WilError_03
Source: C:\Users\user\Desktop\MSystem32.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{27f61c82-a893-4fbd-9acd-5df9ed98d52d}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2360:120:WilError_03

Source: C:\Users\user\Desktop\MSystem32.exe

File created: C:\Users\user\AppData\Local\Temp\tmp5FB6.tmp

Jump to behavior

Source: MSystem32.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: MSystem32.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\MSystem32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MSystem32.exe	ReversingLabs: Detection: 97%
Source: MSystem32.exe	Virustotal: Detection: 88%

Source: C:\Users\user\Desktop\MSystem32.exe

File read: C:\Users\user\Desktop\MSystem32.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\MSystem32.exe "C:\Users\user\Desktop\MSystem32.exe"
Source: C:\Users\user\Desktop\MSystem32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmp5FB6.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\MSystem32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host Task" /xml "C:\Users\user\AppData\Local\Temp\tmp60B1.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\MSystem32.exe C:\Users\user\Desktop\MSystem32.exe 0
Source: unknown	Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe" 0
Source: unknown	Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Users\user\Desktop\MSystem32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1524
Source: C:\Users\user\Desktop\MSystem32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmp5FB6.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host Task" /xml "C:\Users\user\AppData\Local\Temp\tmp60B1.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1524	Jump to behavior

Source: C:\Users\user\Desktop\MSystem32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\MSystem32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\MSystem32.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: MSystem32.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\MSystem32.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Data Obfuscation

.NET source code contains potential unpacker

Source: MSystem32.exe, --qjIje6jGWLd2EOkfZXKqBbg--.cs	.Net Code: _0023_003Dqf3c4WtE_0024_0024thN5QyBMvo3u0lth2VF5hmfUsIv1r8yRkg_003D System.Reflection.Assembly.Load(byte[])
Source: MSystem32.exe, --qjIje6jGWLd2EOkfZXKqBbg--.cs	.Net Code: _0023_003Dq_FL69pQf17BUSAFbWYu1SStMAbdu_0024R1GJ8VY8UL5_EA_003D System.Reflection.Assembly.Load(byte[])
Source: MSystem32.exe, --qxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecU-.cs	.Net Code: _0023_003DqKU0J1fiP8KA33eFK1owekQ_003D_003D System.Reflection.Assembly.Load(byte[])
Source: dnshost.exe.0.dr, --qjIje6jGWLd2EOkfZXKqBbg--.cs	.Net Code: _0023_003Dqf3c4WtE_0024_0024thN5QyBMvo3u0lth2VF5hmfUsIv1r8yRkg_003D System.Reflection.Assembly.Load(byte[])
Source: dnshost.exe.0.dr, --qjIje6jGWLd2EOkfZXKqBbg--.cs	.Net Code: _0023_003Dq_FL69pQf17BUSAFbWYu1SStMAbdu_0024R1GJ8VY8UL5_EA_003D System.Reflection.Assembly.Load(byte[])
Source: dnshost.exe.0.dr, --qxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecU-.cs	.Net Code: _0023_003DqKU0J1fiP8KA33eFK1owekQ_003D_003D System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\MSystem32.exe	Code function: 0_2_01120E97 push ecx; iretd	0_2_01120F0D
Source: C:\Users\user\Desktop\MSystem32.exe	Code function: 0_2_01120CA7 pushad ; iretd	0_2_01120CE5
Source: C:\Users\user\Desktop\MSystem32.exe	Code function: 0_2_0112026D push ds; iretd	0_2_011204C4
Source: C:\Users\user\Desktop\MSystem32.exe	Code function: 0_2_01299DAC push eax; retf	0_2_01299DAD
Source: C:\Users\user\Desktop\MSystem32.exe	Code function: 0_2_01299DB0 pushad ; retf	0_2_01299DB1
Source: C:\Users\user\Desktop\MSystem32.exe	Code function: 0_2_0129771D push es; ret	0_2_01297720
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 7_2_011E0280 push 28010026h; iretd	7_2_011E028D

Source: C:\Users\user\Desktop\MSystem32.exe

File created: C:\Program Files (x86)\DNS Host\dnshost.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\MSystem32.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmp5FB6.tmp"

Source: C:\Users\user\Desktop\MSystem32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run DNS Host			Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run DNS Host			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\MSystem32.exe

File opened: C:\Users\user\Desktop\MSystem32.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\MSystem32.exe	Memory allocated: 1320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Memory allocated: 2FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Memory allocated: 4FB0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Memory allocated: 1070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Memory allocated: 3000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Memory allocated: 5000000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 2D80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 1330000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 2950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 4950000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\MSystem32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\MSystem32.exe	Window / User API: threadDelayed 1484	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Window / User API: threadDelayed 6006	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Window / User API: foregroundWindowGot 1636	Jump to behavior

Source: C:\Users\user\Desktop\MSystem32.exe TID: 5640	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe TID: 5332	Thread sleep time: -742000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe TID: 1052	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe TID: 5332	Thread sleep time: -3003000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe TID: 2544	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe TID: 2996	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe TID: 1048	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\MSystem32.exe

Code function: 0_2_0532169A GetSystemInfo,

0_2_0532169A

Source: C:\Users\user\Desktop\MSystem32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Amcache.hve.18.dr	Binary or memory string: VMware
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.18.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.18.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.18.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.18.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.18.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.18.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: dw20.exe, 00000012.00000002.3186798816.0000000000822000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.18.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: dw20.exe, 00000012.00000002.3186798816.0000000000822000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: Amcache.hve.18.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: dw20.exe, 00000012.00000002.3186798816.00000000007B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: Amcache.hve.18.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.18.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.18.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.18.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.18.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.18.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.18.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.18.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.18.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.18.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.18.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.18.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.18.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: MSystem32.exe, 00000000.00000002.3185244614.0000000000DD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
Source: Amcache.hve.18.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\MSystem32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\MSystem32.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\MSystem32.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\MSystem32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmp5FB6.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host Task" /xml "C:\Users\user\AppData\Local\Temp\tmp60B1.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\MSystem32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1524	Jump to behavior

Source: MSystem32.exe, 00000000.00000002.3187385566.00000000031EC000.00000004.00000800.00020000.00000000.sdmp, MSystem32.exe, 00000000.00000002.3187385566.0000000003168000.00000004.00000800.00020000.00000000.sdmp, MSystem32.exe, 00000000.00000002.3187385566.00000000030BC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: MSystem32.exe, 00000000.00000002.3187385566.0000000003264000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager4

Source: C:\Users\user\Desktop\MSystem32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.18.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: MSystem32.exe, type: SAMPLE
Source: Yara match	File source: 0.2.MSystem32.exe.5c90000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MSystem32.exe.5c94629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSystem32.exe.404eae4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MSystem32.exe.5c90000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSystem32.exe.405310d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSystem32.exe.404eae4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.MSystem32.exe.950000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSystem32.exe.4049cae.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2302298443.0000000004001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3193422405.0000000005C90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2220370877.0000000000952000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2303284587.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2302209097.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSystem32.exe PID: 6708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSystem32.exe PID: 5688, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dnshost.exe PID: 5632, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPED

Remote Access Functionality

Detected Nanocore Rat

Source: MSystem32.exe, 00000000.00000000.2220370877.0000000000952000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSystem32.exe, 00000000.00000002.3193422405.0000000005C90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSystem32.exe, 00000000.00000002.3192183909.0000000005A00000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSystem32.exe, 00000000.00000002.3192183909.0000000005A00000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: MSystem32.exe, 00000000.00000002.3187385566.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSystem32.exe, 00000000.00000002.3187385566.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: MSystem32.exe, 00000006.00000002.2302298443.0000000004001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSystem32.exe, 00000006.00000002.2302298443.0000000004001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: MSystem32.exe, 00000006.00000002.2302209097.0000000003001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSystem32.exe, 00000006.00000002.2302209097.0000000003001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dnshost.exe, 00000007.00000002.2303284587.0000000002D81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dnshost.exe, 00000007.00000002.2303284587.0000000002D81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: MSystem32.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: dnshost.exe.0.dr	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: MSystem32.exe, type: SAMPLE
Source: Yara match	File source: 0.2.MSystem32.exe.5c90000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MSystem32.exe.5c94629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSystem32.exe.404eae4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MSystem32.exe.5c90000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSystem32.exe.405310d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSystem32.exe.404eae4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.MSystem32.exe.950000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSystem32.exe.4049cae.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2302298443.0000000004001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3193422405.0000000005C90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2220370877.0000000000952000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2303284587.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2302209097.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSystem32.exe PID: 6708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSystem32.exe PID: 5688, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dnshost.exe PID: 5632, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPED

Source: C:\Users\user\Desktop\MSystem32.exe	Code function: 0_2_0532289A bind,		0_2_0532289A
Source: C:\Users\user\Desktop\MSystem32.exe	Code function: 0_2_05322848 bind,		0_2_05322848

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	11 Input Capture	13 System Information Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	11 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	12 Process Injection	1 Obfuscated Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Scheduled Task/Job	1 Software Packing	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	1 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Masquerading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	21 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MSystem32.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: NanoCore

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

System Summary

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
MSystem32.exe