Loading ...

Play interactive tourEdit tour

Analysis Report 22021Item_list_sheet#7292020_PDF.exe

Overview

General Information

Sample Name:22021Item_list_sheet#7292020_PDF.exe
Analysis ID:253860
MD5:e989518eabe414ef4b959eb7de190e7c
SHA1:babf737fe0bdc53992f6a5e0ee5d761dd21fb89a
SHA256:ccd0bc8e90dc66863f6aab4a7d41e633ffb0799acf61e400c0e8f2568279c696

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 22021Item_list_sheet#7292020_PDF.exe (PID: 6684 cmdline: 'C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exe' MD5: E989518EABE414EF4B959EB7DE190E7C)
    • 22021Item_list_sheet#7292020_PDF.exe (PID: 6884 cmdline: {path} MD5: E989518EABE414EF4B959EB7DE190E7C)
      • schtasks.exe (PID: 6908 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp709D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6964 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp7457.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 7052 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: E989518EABE414EF4B959EB7DE190E7C)
    • dhcpmon.exe (PID: 5340 cmdline: {path} MD5: E989518EABE414EF4B959EB7DE190E7C)
  • dhcpmon.exe (PID: 2948 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: E989518EABE414EF4B959EB7DE190E7C)
    • dhcpmon.exe (PID: 6600 cmdline: {path} MD5: E989518EABE414EF4B959EB7DE190E7C)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["79.134.225.71"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
22021Item_list_sheet#7292020_PDF.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x3bc49:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x3bc49:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.275841389.0000000000DF2000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x3ba49:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
0000000A.00000000.248657270.00000000007F2000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x3ba49:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
0000000B.00000000.255441910.0000000000DF2000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x3ba49:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000002.00000002.481895853.0000000000CA2000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x3ba49:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000002.00000002.491459913.0000000004109000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    Click to see the 78 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    7.2.22021Item_list_sheet#7292020_PDF.exe.490000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x3bc49:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    12.0.dhcpmon.exe.500000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x3bc49:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    0.2.22021Item_list_sheet#7292020_PDF.exe.bf0000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x3bc49:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    2.0.22021Item_list_sheet#7292020_PDF.exe.ca0000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x3bc49:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    15.2.dhcpmon.exe.cb0000.1.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x3bc49:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    Click to see the 35 entries

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exe, ProcessId: 6884, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
    Sigma detected: Scheduled temp file as task from temp locationShow sources
    Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp709D.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp709D.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: {path}, ParentImage: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exe, ParentProcessId: 6884, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp709D.tmp', ProcessId: 6908

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 22021Item_list_sheet#7292020_PDF.exe.640.10.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["79.134.225.71"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000002.00000002.491459913.0000000004109000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000002.263783969.0000000003831000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.277289475.0000000003E39000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.481499766.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.229955850.0000000003F41000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.285465230.0000000003981000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.493420371.0000000006670000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.295786416.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.280656232.00000000042C9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.272671244.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.297223653.0000000003FE9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.276335499.0000000002E31000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.280265356.00000000032C1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.275692624.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.297055721.0000000002FE1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.267950691.0000000004351000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: 22021Item_list_sheet#7292020_PDF.exe PID: 640, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: 22021Item_list_sheet#7292020_PDF.exe PID: 6884, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6600, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5340, type: MEMORY
    Source: Yara matchFile source: 15.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.22021Item_list_sheet#7292020_PDF.exe.6670000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.22021Item_list_sheet#7292020_PDF.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.22021Item_list_sheet#7292020_PDF.exe.6670000.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.22021Item_list_sheet#7292020_PDF.exe.400000.0.unpack, type: UNPACKEDPE
    Machine Learning detection for dropped fileShow sources
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
    Machine Learning detection for sampleShow sources
    Source: 22021Item_list_sheet#7292020_PDF.exeJoe Sandbox ML: detected
    Source: global trafficTCP traffic: 192.168.2.4:49712 -> 79.134.225.71:1990
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: 22021Item_list_sheet#7292020_PDF.exe, 00000002.00000002.486853762.00000000030C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: 22021Item_list_sheet#7292020_PDF.exe, 00000002.00000002.491459913.0000000004109000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

    E-Banking Fraud:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000002.00000002.491459913.0000000004109000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000002.263783969.0000000003831000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.277289475.0000000003E39000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.481499766.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.229955850.0000000003F41000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.285465230.0000000003981000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.493420371.0000000006670000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.295786416.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.280656232.00000000042C9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.272671244.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.297223653.0000000003FE9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.276335499.0000000002E31000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.280265356.00000000032C1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.275692624.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.297055721.0000000002FE1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.267950691.0000000004351000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: 22021Item_list_sheet#7292020_PDF.exe PID: 640, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: 22021Item_list_sheet#7292020_PDF.exe PID: 6884, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6600, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5340, type: MEMORY
    Source: Yara matchFile source: 15.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.22021Item_list_sheet#7292020_PDF.exe.6670000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.22021Item_list_sheet#7292020_PDF.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.22021Item_list_sheet#7292020_PDF.exe.6670000.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.22021Item_list_sheet#7292020_PDF.exe.400000.0.unpack, type: UNPACKEDPE

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 00000002.00000002.491459913.0000000004109000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000007.00000002.263783969.0000000003831000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000007.00000002.263783969.0000000003831000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000A.00000002.277289475.0000000003E39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000002.00000002.481499766.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000002.00000002.481499766.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000002.00000002.493341836.00000000065E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.229955850.0000000003F41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.229955850.0000000003F41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000C.00000002.285465230.0000000003981000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000C.00000002.285465230.0000000003981000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000002.00000002.493420371.0000000006670000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.295786416.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.295786416.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000B.00000002.280656232.00000000042C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000A.00000002.272671244.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000A.00000002.272671244.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.297223653.0000000003FE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000A.00000002.276335499.0000000002E31000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000B.00000002.280265356.00000000032C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000B.00000002.275692624.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000B.00000002.275692624.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.297055721.0000000002FE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000008.00000002.267950691.0000000004351000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000008.00000002.267950691.0000000004351000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: 22021Item_list_sheet#7292020_PDF.exe PID: 640, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: 22021Item_list_sheet#7292020_PDF.exe PID: 640, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: 22021Item_list_sheet#7292020_PDF.exe PID: 6884, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: 22021Item_list_sheet#7292020_PDF.exe PID: 6884, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: dhcpmon.exe PID: 6600, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: dhcpmon.exe PID: 6600, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: dhcpmon.exe PID: 5340, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: dhcpmon.exe PID: 5340, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 2.2.22021Item_list_sheet#7292020_PDF.exe.6670000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.22021Item_list_sheet#7292020_PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.22021Item_list_sheet#7292020_PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 2.2.22021Item_list_sheet#7292020_PDF.exe.65e0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.22021Item_list_sheet#7292020_PDF.exe.6670000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.22021Item_list_sheet#7292020_PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.22021Item_list_sheet#7292020_PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Initial sample is a PE file and has a suspicious nameShow sources
    Source: initial sampleStatic PE information: Filename: 22021Item_list_sheet#7292020_PDF.exe
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E102FC NtQueryInformationProcess,0_2_02E102FC
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E10308 NtQueryInformationProcess,OutputDebugStringW,0_2_02E10308
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E1688B NtQueryInformationProcess,0_2_02E1688B
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B02FC NtQueryInformationProcess,7_2_026B02FC
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B02E4 NtQueryInformationProcess,7_2_026B02E4
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B6888 NtQueryInformationProcess,7_2_026B6888
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_04FC15480_2_04FC1548
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_04FC26180_2_04FC2618
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_04FC14E80_2_04FC14E8
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_04FC2D200_2_04FC2D20
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_04FC26080_2_04FC2608
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_04FC2B000_2_04FC2B00
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E16A980_2_02E16A98
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E130380_2_02E13038
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E121590_2_02E12159
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E156C00_2_02E156C0
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E166A00_2_02E166A0
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E18E900_2_02E18E90
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E10FE80_2_02E10FE8
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E117100_2_02E11710
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E194900_2_02E19490
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E104700_2_02E10470
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E152C00_2_02E152C0
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E152B10_2_02E152B1
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E16A880_2_02E16A88
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E14A480_2_02E14A48
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E14A580_2_02E14A58
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E193080_2_02E19308
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E150F00_2_02E150F0
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E1A8B00_2_02E1A8B0
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E180280_2_02E18028
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E180380_2_02E18038
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E159A80_2_02E159A8
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E159980_2_02E15998
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E151000_2_02E15100
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E1DE200_2_02E1DE20
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E166300_2_02E16630
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E15FE00_2_02E15FE0
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E12FFF0_2_02E12FFF
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E10FD10_2_02E10FD1
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E15FD30_2_02E15FD3
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E10F480_2_02E10F48
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E12F480_2_02E12F48
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E155200_2_02E15520
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 0_2_02E155100_2_02E15510
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 2_2_02FEE4802_2_02FEE480
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 2_2_02FEE4712_2_02FEE471
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 2_2_02FEBBD42_2_02FEBBD4
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 2_2_06A500402_2_06A50040
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_04870E987_2_04870E98
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_048726187_2_04872618
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_048726087_2_04872608
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_04870E647_2_04870E64
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_04872B007_2_04872B00
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B30387_2_026B3038
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B21687_2_026B2168
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B69A87_2_026B69A8
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B56D07_2_026B56D0
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B66A07_2_026B66A0
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B8EA07_2_026B8EA0
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B17207_2_026B1720
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B0FE87_2_026B0FE8
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026BA4C87_2_026BA4C8
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B04807_2_026B0480
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B4A487_2_026B4A48
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B4A587_2_026B4A58
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B82107_2_026B8210
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B52C07_2_026B52C0
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B52B17_2_026B52B1
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B93087_2_026B9308
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B50F07_2_026B50F0
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B21597_2_026B2159
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B51007_2_026B5100
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B81FF7_2_026B81FF
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B59A87_2_026B59A8
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B59987_2_026B5998
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B69977_2_026B6997
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B8E787_2_026B8E78
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026BDE207_2_026BDE20
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B66307_2_026B6630
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B56C07_2_026B56C0
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B0F767_2_026B0F76
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B2F487_2_026B2F48
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B17107_2_026B1710
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B5FE07_2_026B5FE0
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B5FD37_2_026B5FD3
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B04707_2_026B0470
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B94907_2_026B9490
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B55207_2_026B5520
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 7_2_026B55107_2_026B5510
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_053926188_2_05392618
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_05390E988_2_05390E98
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_05392B008_2_05392B00
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_053926088_2_05392608
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_05390E648_2_05390E64
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 10_2_02C3E48010_2_02C3E480
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 10_2_02C3E47110_2_02C3E471
    Source: C:\Users\user\Desktop\22021Item_list_sheet#7292020_PDF.exeCode function: 10_2_02C3BBD410_2_02C3BBD4
    Source: 22021Item_list_sheet#7292020_PDF.exeBinary or memory string: OriginalFilename vs 22021Item_list_sheet#7292020_PDF.exe
    Source: 22021Item_list_sheet#7292020_PDF.exe, 00000000.00000000.214707864.0000000000BF2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePCFvp.exe. vs 22021Item_list_sheet#7292020_PDF.exe
    Source: 22021Item_list_sheet#7292020_PDF.exe, 00000000.00000002.234143651.0000000008310000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLoreal.exe4 vs 22021Item_list_sheet#7292020_PDF.exe
    Source: 22021Item_list_sheet#7292020_PDF.exe, 00000000.00000002.225933233.0000000002F41000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSparta.dll. vs 22021Item_list_sheet#7292020_PDF.exe
    Source: 22021Item_list_sheet#7292020_PDF.exeBinary or memory string: OriginalFilename vs 22021Item_list_sheet#7292020_PDF.exe
    Source: 22021Item_list_sheet#7292020_PDF.exe, 00000002.00000002.481895853.0000000000CA2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePCFvp.exe. vs 22021Item_list_sheet#7292020_PDF.exe
    Source: 22021Item_list_sheet#7292020_PDF.exe, 00000002.00000002.491459913.0000000004109000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs 22021Item_list_sheet#7292020_PDF.exe
    Source: 22021Item_list_sheet#7292020_PDF.exe, 00000002.00000002.491459913.0000000004109000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs 22021Item_list_sheet#7292020_PDF.exe
    Source: 22021Item_list_sheet#7292020_PDF.exe, 00000002.00000002.491459913.0000000004109000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 22021Item_list_sheet#7292020_PDF.exe
    Source: 22021Item_list_sheet#7292020_PDF.exe, 00000002.00000002.493280876.0000000006570000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 22021Item_list_sheet#7292020_PDF.exe
    Source: 22021Item_list_sheet#7292020_PDF.exe, 00000002.00000002.493852862.0000000006F20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs 22021Item_list_sheet#7292020_PDF.exe
    Source: 22021Item_list_sheet#7292020_PDF.exeBinary or memory string: OriginalFilename vs 22021Item_list_sheet#7292020_PDF.exe
    Source: 22021Item_list_sheet#7292020_PDF.exe, 00000007.00000002.269975028.0000000007BB0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLoreal.exe4 vs 22021Item_list_sheet#7292020_PDF.exe
    Source: 22021Item_list_sheet#7292020_PDF.exe, 00000007.00000002.255403950.0000000000C0A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 22021Item_list_sheet#7292020_PDF.exe
    Source: 22021Item_list_sheet#7292020_PDF.exe, 00000007.00000000.235063003.0000000000492000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePCFvp.exe. vs 22021Item_list_sheet#7292020_PDF.exe
    Source: 22021Item_list_sheet#7292020_PDF.exe, 00000007.00000002.255906588.0000000002831000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSparta.dll. vs 22021Item_list_sheet#7292020_PDF.exe
    Source: 22021Item_list_sheet#7292020_PDF.exeBinary or memory string: OriginalFilename vs 22021Item_list_sheet#7292020_PDF.exe
    Source: 22021Item_list_sheet#7292020_PDF.exe, 0000000A.00000000.248657270.00000000007F2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePCFvp.exe. vs 22021Item_list_sheet#7292020_PDF.exe
    Source: 22021Item_list_sheet#7292020_PDF.exe, 0000000A.00000002.277289475.0000000003E39000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs 22021Item_list_sheet#7292020_PDF.exe
    Source: 22021Item_list_sheet#7292020_PDF.exe, 0000000A.00000002.277289475.0000000003E39000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs 22021Item_list_sheet#7292020_PDF.exe
    Source: 22021Item_list_sheet#7292020_PDF.exe, 0000000A.00000002.277289475.0000000003E39000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 22021Item_list_sheet#7292020_PDF.exe
    Source: 22021Item_list_sheet#7292020_PDF.exeBinary or memory string: OriginalFilenamePCFvp.exe. vs 22021Item_list_sheet#7292020_PDF.exe
    Source: 22021Item_list_sheet#7292020_PDF.exe, type: SAMPLEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 0000000B.00000002.275841389.0000000000DF2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 0000000A.00000000.248657270.00000000007F2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 0000000B.00000000.255441910.0000000000DF2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 00000002.00000002.481895853.0000000000CA2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 00000002.00000002.491459913.0000000004109000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000008.00000002.256836099.0000000000FB2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 0000000A.00000002.272860007.00000000007F2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 00000007.00000002.263783969.0000000003831000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000007.00000002.263783969.0000000003831000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000A.00000002.277289475.0000000003E39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000002.00000002.481499766.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000002.00000002.481499766.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000000.214707864.0000000000BF2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 00000002.00000002.493341836.00000000065E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000002.00000002.493341836.00000000065E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000000.00000002.229955850.0000000003F41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.229955850.0000000003F41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000C.00000002.285465230.0000000003981000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000C.00000002.285465230.0000000003981000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000002.00000002.493420371.0000000006670000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000002.00000002.493420371.0000000006670000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000007.00000000.235063003.0000000000492000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 0000000F.00000002.295786416.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.295786416.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000B.00000002.280656232.00000000042C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000A.00000002.272671244.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000A.00000002.272671244.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000007.00000002.254596851.0000000000492000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 00000000.00000002.225091062.0000000000BF2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 0000000C.00000000.256906476.0000000000502000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 0000000F.00000002.297223653.0000000003FE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000000.271978071.0000000000CB2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 0000000A.00000002.276335499.0000000002E31000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000C.00000002.274477118.0000000000502000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285