Loading ...

Play interactive tourEdit tour

Analysis Report vC4qh30p9mw3YNB.exe

Overview

General Information

Sample Name:vC4qh30p9mw3YNB.exe
Analysis ID:299742
MD5:d66f4b72fedd2c4981fbdd7d28a72e00
SHA1:64c7758d0fac26207795e8ebb7212b738b029deb
SHA256:cc566277bb275dde9c670ecd2d89c9d3a0e3b22cb8aa28b4d564d4b8232bbc7e
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • vC4qh30p9mw3YNB.exe (PID: 7060 cmdline: 'C:\Users\user\Desktop\vC4qh30p9mw3YNB.exe' MD5: D66F4B72FEDD2C4981FBDD7D28A72E00)
    • schtasks.exe (PID: 4752 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\BcqDAiQPbD' /XML 'C:\Users\user\AppData\Local\Temp\tmpFD6A.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • conhost.exe (PID: 6284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • vC4qh30p9mw3YNB.exe (PID: 4264 cmdline: {path} MD5: D66F4B72FEDD2C4981FBDD7D28A72E00)
      • schtasks.exe (PID: 6364 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE24.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6440 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp1151.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • vC4qh30p9mw3YNB.exe (PID: 6452 cmdline: C:\Users\user\Desktop\vC4qh30p9mw3YNB.exe 0 MD5: D66F4B72FEDD2C4981FBDD7D28A72E00)
    • schtasks.exe (PID: 6848 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\BcqDAiQPbD' /XML 'C:\Users\user\AppData\Local\Temp\tmp2B70.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 5812 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: D66F4B72FEDD2C4981FBDD7D28A72E00)
  • dhcpmon.exe (PID: 6572 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: D66F4B72FEDD2C4981FBDD7D28A72E00)
    • schtasks.exe (PID: 6240 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\BcqDAiQPbD' /XML 'C:\Users\user\AppData\Local\Temp\tmp5917.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 6508 cmdline: {path} MD5: D66F4B72FEDD2C4981FBDD7D28A72E00)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["70.20.49.01"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000014.00000002.417022492.0000000003A89000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000014.00000002.417022492.0000000003A89000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x435cd:$a: NanoCore
    • 0x43626:$a: NanoCore
    • 0x43663:$a: NanoCore
    • 0x436dc:$a: NanoCore
    • 0x56d87:$a: NanoCore
    • 0x56d9c:$a: NanoCore
    • 0x56dd1:$a: NanoCore
    • 0x6fd7b:$a: NanoCore
    • 0x6fd90:$a: NanoCore
    • 0x6fdc5:$a: NanoCore
    • 0x4362f:$b: ClientPlugin
    • 0x4366c:$b: ClientPlugin
    • 0x43f6a:$b: ClientPlugin
    • 0x43f77:$b: ClientPlugin
    • 0x56b43:$b: ClientPlugin
    • 0x56b5e:$b: ClientPlugin
    • 0x56b8e:$b: ClientPlugin
    • 0x56da5:$b: ClientPlugin
    • 0x56dda:$b: ClientPlugin
    • 0x6fb37:$b: ClientPlugin
    • 0x6fb52:$b: ClientPlugin
    00000004.00000002.597468008.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000004.00000002.597468008.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000004.00000002.597468008.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfcf5:$a: NanoCore
      • 0xfd05:$a: NanoCore
      • 0xff39:$a: NanoCore
      • 0xff4d:$a: NanoCore
      • 0xff8d:$a: NanoCore
      • 0xfd54:$b: ClientPlugin
      • 0xff56:$b: ClientPlugin
      • 0xff96:$b: ClientPlugin
      • 0xfe7b:$c: ProjectData
      • 0x10882:$d: DESCrypto
      • 0x1824e:$e: KeepAlive
      • 0x1623c:$g: LogClientMessage
      • 0x12437:$i: get_Connected
      • 0x10bb8:$j: #=q
      • 0x10be8:$j: #=q
      • 0x10c04:$j: #=q
      • 0x10c34:$j: #=q
      • 0x10c50:$j: #=q
      • 0x10c6c:$j: #=q
      • 0x10c9c:$j: #=q
      • 0x10cb8:$j: #=q
      Click to see the 53 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      14.2.vC4qh30p9mw3YNB.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      14.2.vC4qh30p9mw3YNB.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      14.2.vC4qh30p9mw3YNB.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        14.2.vC4qh30p9mw3YNB.exe.400000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        20.2.dhcpmon.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 7 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\vC4qh30p9mw3YNB.exe, ProcessId: 4264, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\BcqDAiQPbD' /XML 'C:\Users\user\AppData\Local\Temp\tmpFD6A.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\BcqDAiQPbD' /XML 'C:\Users\user\AppData\Local\Temp\tmpFD6A.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\vC4qh30p9mw3YNB.exe' , ParentImage: C:\Users\user\Desktop\vC4qh30p9mw3YNB.exe, ParentProcessId: 7060, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\BcqDAiQPbD' /XML 'C:\Users\user\AppData\Local\Temp\tmpFD6A.tmp', ProcessId: 4752

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: vC4qh30p9mw3YNB.exe.7060.1.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["70.20.49.01"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 23%Perma Link
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 14%
        Source: C:\Users\user\AppData\Roaming\BcqDAiQPbD.exeVirustotal: Detection: 23%Perma Link
        Source: C:\Users\user\AppData\Roaming\BcqDAiQPbD.exeReversingLabs: Detection: 14%
        Multi AV Scanner detection for submitted fileShow sources
        Source: vC4qh30p9mw3YNB.exeVirustotal: Detection: 23%Perma Link
        Source: vC4qh30p9mw3YNB.exeReversingLabs: Detection: 14%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000014.00000002.417022492.0000000003A89000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.597468008.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.393039565.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.416942287.0000000002A81000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.373894488.00000000043E4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.416067706.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.394191721.0000000002CA1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.402740066.0000000004099000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.394356143.0000000003CA9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.600121318.0000000003001000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.347984280.0000000003A59000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.378949601.0000000004259000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: vC4qh30p9mw3YNB.exe PID: 6600, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: vC4qh30p9mw3YNB.exe PID: 7060, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: vC4qh30p9mw3YNB.exe PID: 4264, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: vC4qh30p9mw3YNB.exe PID: 6452, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6572, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6508, type: MEMORY
        Source: Yara matchFile source: 14.2.vC4qh30p9mw3YNB.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.vC4qh30p9mw3YNB.exe.400000.0.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\BcqDAiQPbD.exeJoe Sandbox ML: detected
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: vC4qh30p9mw3YNB.exeJoe Sandbox ML: detected
        Source: 20.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 14.2.vC4qh30p9mw3YNB.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 4.2.vC4qh30p9mw3YNB.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then jmp 059CE99Eh15_2_059CDBF1

        Networking:

        barindex
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: hotwireboxes4.ddns.net
        Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US
        Source: unknownDNS traffic detected: queries for: hotwireboxes4.ddns.net
        Source: vC4qh30p9mw3YNB.exe, 00000004.00000002.600449358.0000000003084000.00000004.00000001.sdmpString found in binary or memory: http://google.com
        Source: vC4qh30p9mw3YNB.exe, 00000001.00000002.347547867.0000000002AA2000.00000004.00000001.sdmp, vC4qh30p9mw3YNB.exe, 00000008.00000002.378300554.00000000032A2000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.400640839.00000000030E2000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: vC4qh30p9mw3YNB.exe, 00000001.00000002.347293578.0000000000E98000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: vC4qh30p9mw3YNB.exe, 0000000E.00000002.394191721.0000000002CA1000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000014.00000002.417022492.0000000003A89000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.597468008.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.393039565.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.416942287.0000000002A81000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.373894488.00000000043E4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.416067706.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.394191721.0000000002CA1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.402740066.0000000004099000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.394356143.0000000003CA9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.600121318.0000000003001000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.347984280.0000000003A59000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.378949601.0000000004259000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: vC4qh30p9mw3YNB.exe PID: 6600, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: vC4qh30p9mw3YNB.exe PID: 7060, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: vC4qh30p9mw3YNB.exe PID: 4264, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: vC4qh30p9mw3YNB.exe PID: 6452, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6572, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6508, type: MEMORY
        Source: Yara matchFile source: 14.2.vC4qh30p9mw3YNB.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.vC4qh30p9mw3YNB.exe.400000.0.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000014.00000002.417022492.0000000003A89000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000002.597468008.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.597468008.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.393039565.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.393039565.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000014.00000002.416942287.0000000002A81000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000002.373894488.00000000043E4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000A.00000002.373894488.00000000043E4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000002.600449358.0000000003084000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000014.00000002.416067706.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000014.00000002.416067706.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.394191721.0000000002CA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000002.402740066.0000000004099000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000002.402740066.0000000004099000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.394356143.0000000003CA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000002.600121318.0000000003001000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.347984280.0000000003A59000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.347984280.0000000003A59000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000002.378949601.0000000004259000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000002.378949601.0000000004259000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: vC4qh30p9mw3YNB.exe PID: 6600, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: vC4qh30p9mw3YNB.exe PID: 6600, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: vC4qh30p9mw3YNB.exe PID: 7060, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: vC4qh30p9mw3YNB.exe PID: 7060, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: vC4qh30p9mw3YNB.exe PID: 4264, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: vC4qh30p9mw3YNB.exe PID: 4264, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: vC4qh30p9mw3YNB.exe PID: 6452, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: vC4qh30p9mw3YNB.exe PID: 6452, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6572, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6572, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6508, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6508, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.vC4qh30p9mw3YNB.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.vC4qh30p9mw3YNB.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.vC4qh30p9mw3YNB.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.vC4qh30p9mw3YNB.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Users\user\Desktop\vC4qh30p9mw3YNB.exeCode function: 4_2_02FCE4804_2_02FCE480
        Source: C:\Users\user\Desktop\vC4qh30p9mw3YNB.exeCode function: 4_2_02FCE4714_2_02FCE471
        Source: C:\Users\user\Desktop\vC4qh30p9mw3YNB.exeCode function: 4_2_02FCBBD44_2_02FCBBD4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_018CC12410_2_018CC124
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_018CE56210_2_018CE562
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_018CE57010_2_018CE570
        Source: C:\Users\user\Desktop\vC4qh30p9mw3YNB.exeCode function: 14_2_051AE47114_2_051AE471
        Source: C:\Users\user\Desktop\vC4qh30p9mw3YNB.exeCode function: 14_2_051AE48014_2_051AE480
        Source: C:\Users\user\Desktop\vC4qh30p9mw3YNB.exeCode function: 14_2_051ABBD414_2_051ABBD4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0139C12415_2_0139C124
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0139E57015_2_0139E570
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0139E56215_2_0139E562
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_059CDBF115_2_059CDBF1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_059C850815_2_059C8508
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_059C7C3815_2_059C7C38
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_059C78F015_2_059C78F0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_059C9B9815_2_059C9B98
        Source: vC4qh30p9mw3YNB.exe, 00000001.00000000.332038694.0000000000678000.00000002.00020000.sdmpBinary or memory string: OriginalFilename-^4.exe> vs vC4qh30p9mw3YNB.exe
        Source: vC4qh30p9mw3YNB.exe, 00000001.00000002.347513233.0000000002A51000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs vC4qh30p9mw3YNB.exe
        Source: vC4qh30p9mw3YNB.exe, 00000001.00000002.348918044.0000000004F30000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMARCUS.dll4 vs vC4qh30p9mw3YNB.exe
        Source: vC4qh30p9mw3YNB.exe, 00000001.00000002.351490222.00000000065F0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs vC4qh30p9mw3YNB.exe
        Source: vC4qh30p9mw3YNB.exe, 00000001.00000002.351701424.00000000066F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs vC4qh30p9mw3YNB.exe
        Source: vC4qh30p9mw3YNB.exe, 00000001.00000002.351701424.00000000066F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs vC4qh30p9mw3YNB.exe
        Source: vC4qh30p9mw3YNB.exe, 00000004.00000002.597872387.0000000000D98000.00000002.00020000.sdmpBinary or memory string: OriginalFilename-^4.exe> vs vC4qh30p9mw3YNB.exe
        Source: vC4qh30p9mw3YNB.exe, 00000004.00000002.600449358.0000000003084000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs vC4qh30p9mw3YNB.exe
        Source: vC4qh30p9mw3YNB.exe, 00000004.00000002.600449358.0000000003084000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs vC4qh30p9mw3YNB.exe
        Source: vC4qh30p9mw3YNB.exe, 00000004.00000002.600449358.0000000003084000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs vC4qh30p9mw3YNB.exe
        Source: vC4qh30p9mw3YNB.exe, 00000004.00000002.600449358.0000000003084000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs vC4qh30p9mw3YNB.exe
        Source: vC4qh30p9mw3YNB.exe, 00000004.00000002.600449358.0000000003084000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs vC4qh30p9mw3YNB.exe
        Source: vC4qh30p9mw3YNB.exe, 00000004.00000002.600449358.0000000003084000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs vC4qh30p9mw3YNB.exe
        Source: vC4qh30p9mw3YNB.exe, 00000004.00000002.600449358.0000000003084000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs vC4qh30p9mw3YNB.exe
        Source: vC4qh30p9mw3YNB.exe, 00000004.00000002.600449358.0000000003084000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs vC4qh30p9mw3YNB.exe
        Source: vC4qh30p9mw3YNB.exe, 00000004.00000002.600449358.0000000003084000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs vC4qh30p9mw3YNB.exe
        Source: vC4qh30p9mw3YNB.exe, 00000004.00000002.599120975.00000000013EA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs vC4qh30p9mw3YNB.exe
        Source: vC4qh30p9mw3YNB.exe, 00000004.00000003.359745188.0000000006D21000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs vC4qh30p9mw3YNB.exe
        Source: vC4qh30p9mw3YNB.exe, 00000004.00000002.600121318.0000000003001000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs vC4qh30p9mw3YNB.exe
        Source: vC4qh30p9mw3YNB.exe, 00000004.00000002.600121318.0000000003001000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs vC4qh30p9mw3YNB.exe
        Source: vC4qh30p9mw3YNB.exe, 00000008.00000002.376960512.0000000000EE8000.00000002.00020000.sdmpBinary or memory string: OriginalFilename-^4.exe> vs vC4qh30p9mw3YNB.exe
        Source: vC4qh30p9mw3YNB.exe, 00000008.00000002.383420196.0000000006390000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs vC4qh30p9mw3YNB.exe
        Source: vC4qh30p9mw3YNB.exe, 00000008.00000002.385451480.00000000070B0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs vC4qh30p9mw3YNB.exe
        Source: vC4qh30p9mw3YNB.exe, 00000008.00000002.385451480.00000000070B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs vC4qh30p9mw3YNB.exe
        Source: vC4qh30p9mw3YNB.exe, 00000008.00000002.384723907.0000000006FB0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs vC4qh30p9mw3YNB.exe
        Source: vC4qh30p9mw3YNB.exe, 00000008.00000002.378949601.0000000004259000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMARCUS.dll4 vs vC4qh30p9mw3YNB.exe
        Source: vC4qh30p9mw3YNB.exe, 0000000E.00000000.374538211.0000000000898000.00000002.00020000.sdmpBinary or memory string: OriginalFilename-^4.exe> vs vC4qh30p9mw3YNB.exe
        Source: vC4qh30p9mw3YNB.exe, 0000000E.00000002.394191721.0000000002CA1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs vC4qh30p9mw3YNB.exe
        Source: vC4qh30p9mw3YNB.exe, 0000000E.00000002.394191721.0000000002CA1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs vC4qh30p9mw3YNB.exe
        Source: vC4qh30p9mw3YNB.exe, 0000000E.00000002.394356143.0000000003CA9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs vC4qh30p9mw3YNB.exe
        Source: vC4qh30p9mw3YNB.exeBinary or memory string: OriginalFilename-^4.exe> vs vC4qh30p9mw3YNB.exe
        Source: 00000014.00000002.417022492.0000000003A89000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000002.597468008.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.597468008.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.393039565.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.393039565.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000014.00000002.416942287.0000000002A81000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000002.373894488.00000000043E4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000A.00000002.373894488.00000000043E4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000002.600449358.0000000003084000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000014.00000002.416067706.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000014.00000002.416067706.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.394191721.0000000002CA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000002.402740066.0000000004099000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000002.402740066.0000000004099000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.394356143.0000000003CA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000002.600121318.0000000003001000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.347984280.0000000003A59000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.347984280.0000000003A59000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000002.378949601.0000000004259000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000002.378949601.0000000004259000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: vC4qh30p9mw3YNB.exe PID: 6600, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: vC4qh30p9mw3YNB.exe PID: 6600, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: vC4qh30p9mw3YNB.exe PID: 7060, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: vC4qh30p9mw3YNB.exe PID: 7060, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: vC4qh30p9mw3YNB.exe PID: 4264, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: vC4qh30p9mw3YNB.exe PID: 4264, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: vC4qh30p9mw3YNB.exe PID: 6452, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: vC4qh30p9mw3YNB.exe PID: 6452, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6572, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6572, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6508, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6508, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.vC4qh30p9mw3YNB.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.vC4qh30p9mw3YNB.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.vC4qh30p9mw3YNB.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.vC4qh30p9mw3YNB.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.vC4qh30p9mw3YNB.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.vC4qh30p9mw3YNB.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: vC4qh30p9mw3YNB.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: BcqDAiQPbD.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: dhcpmon.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 4.2.vC4qh30p9mw3YNB.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 4.2.vC4qh30p9mw3YNB.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 4.2.vC4qh30p9mw3YNB.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 14.2.vC4qh30p9mw3YNB.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 14.2.vC4qh30p9mw3YNB.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 14.2.vC4qh30p9mw3YNB.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 14.2.vC4qh30p9mw3YNB.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 14.2.vC4qh30p9mw3YNB.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 4.2.vC4qh30p9mw3YNB.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 4.2.vC4qh30p9mw3YNB.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@26/15@1/1
        Source: C:\Users\user\Desktop\vC4qh30p9mw3YNB.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\vC4qh30p9mw3YNB.exeFile created: C:\Users\user\AppData\Roaming\BcqDAiQPbD.exeJump to behavior
        Source: C:\Users\user\Desktop\vC4qh30p9mw3YNB.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{50dbad3e-032c-4487-a9c3-559e7fcea6cc}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4832:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6432:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6284:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6852:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5688:120:WilError_01
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMutant created: \Sessions\1\BaseNamedObjects\OrOuUExJRKzavXyke
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6296:120:WilError_01
        Source: C:\Users\user\Desktop\vC4qh30p9mw3YNB.exeFile created: C:\Users\user\AppData\Local\Temp\tmpFD6A.tmpJump to behavior
        Source: vC4qh30p9mw3YNB.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\vC4qh30p9mw3YNB.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\vC4qh30p9mw3YNB.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\vC4qh30p9mw3YNB.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\vC4qh30p9mw3YNB.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\vC4qh30p9mw3YNB.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\vC4qh30p9mw3YNB.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: vC4qh30p9mw3YNB.exeVirustotal: Detection: 23%
        Source: vC4qh30p9mw3YNB.exeReversingLabs: Detection: 14%
        Source: vC4qh30p9mw3YNB.exeString found in binary or memory: 9x+th+vJO+vC+vpy/t2jn/Z/17/vx+PAu+/G/vlx/Dh/jqPlvK/WP/add9/7o/zyvvP8Oe/16fPn/D8/z0D1/1//Ty/Nu/bt/HN/7Fje6BNz/28/fx/WP/na/Xt//Oz/389/Lj/vc/fe/fd+3fL6H/35/3j/3e3/72D//i+/trfs/f4/t1/Pe+v7+3trq/d9/10/T4//W/vF+/K//F//bz//83x/v48/R9/f8vu4/Jz/p0/dU0+/zZZz/efr/fU7fT97
        Source: vC4qh30p9mw3YNB.exeString found in binary or memory: 9x+th+vJO+vC+vpy/t2jn/Z/17/vx+PAu+/G/vlx/Dh/jqPlvK/WP/add9/7o/zyvvP8Oe/16fPn/D8/z0D1/1//Ty/Nu/bt/HN/7Fje6BNz/28/fx/WP/na/Xt//Oz/389/Lj/vc/fe/fd+3fL6H/35/3j/3e3/72D//i+/trfs/f4/t1/Pe+v7+3trq/d9/10/T4//W/vF+/K//F//bz//83x/v48/R9/f8vu4/Jz/p0/dU0+/zZZz/efr/fU7fT97
        Source: vC4qh30p9mw3YNB.exeString found in binary or memory: 9x+th+vJO+vC+vpy/t2jn/Z/17/vx+PAu+/G/vlx/Dh/jqPlvK/WP/add9/7o/zyvvP8Oe/16fPn/D8/z0D1/1//Ty/Nu/bt/HN/7Fje6BNz/28/fx/WP/na/Xt//Oz/389/Lj/vc/fe/fd+3fL6H/35/3j/3e3/72D//i+/trfs/f4/t1/Pe+v7+3trq/d9/10/T4//W/vF+/K//F//bz//83x/v48/R9/f8vu4/Jz/p0/dU0+/zZZz/efr/fU7fT97
        Source: dhcpmon.exeString found in binary or memory: 9x+th+vJO+vC+vpy/t2jn/Z/17/vx+PAu+/G/vlx/Dh/jqPlvK/WP/add9/7o/zyvvP8Oe/16fPn/D8/z0D1/1//Ty/Nu/bt/HN/7Fje6BNz/28/fx/WP/na/Xt//Oz/389/Lj/vc/fe/fd+3fL6H/35/3j/3e3/72D//i+/trfs/f4/t1/Pe+v7+3trq/d9/10/T4//W/vF+/K//F//bz//83x/v48/R9/f8vu4/Jz/p0/dU0+/zZZz/efr/fU7fT97
        Source: vC4qh30p9mw3YNB.exeString found in binary or memory: 9x+th+vJO+vC+vpy/t2jn/Z/17/vx+PAu+/G/vlx/Dh/jqPlvK/WP/add9/7o/zyvvP8Oe/16fPn/D8/z0D1/1//Ty/Nu/bt/HN/7Fje6BNz/28/fx/WP/na/Xt//Oz/389/Lj/vc/fe/fd+3fL6H/35/3j/3e3/72D//i+/trfs/f4/t1/Pe+v7+3trq/d9/10/T4//W/vF+/K//F//bz//83x/v48/R9/f8vu4/Jz/p0/dU0+/zZZz/efr/fU7fT97
        Source: dhcpmon.exeString found in binary or memory: 9x+th+vJO+vC+vpy/t2jn/Z/17/vx+PAu+/G/vlx/Dh/jqPlvK/WP/add9/7o/zyvvP8Oe/16fPn/D8/z0D1/1//Ty/Nu/bt/HN/7Fje6BNz/28/fx/WP/na/Xt//Oz/389/Lj/vc/fe/fd+3fL6H/35/3j/3e3/72D//i+/trfs/f4/t1/Pe+v7+3trq/d9/10/T4//W/vF+/K//F//bz//83x/v48/R9/f8vu4/Jz/p0/dU0+/zZZz/efr/fU7fT97
        Source: C:\Users\user\Desktop\vC4qh30p9mw3YNB.exeFile read: C:\Users\user\Desktop\vC4qh30p9mw3YNB.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\vC4qh30p9mw3YNB.exe 'C:\Users\user\Desktop\vC4qh30p9mw3YNB.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\BcqDAiQPbD' /XML 'C:\Users\user\AppData\Local\Temp\tmpFD6A.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\vC4qh30p9mw3YNB.exe {path}
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Te