Loading ...

Play interactive tourEdit tour

Analysis Report d4e475d7d17a16be8b9eeac6e10b25af

Overview

General Information

Sample Name:d4e475d7d17a16be8b9eeac6e10b25af (renamed file extension from none to exe)
Analysis ID:320928
MD5:5162337b6fd4c8806ef62f6ebf4a5df8
SHA1:126642db1117de853d7e0ae601e0ff45358d7413
SHA256:9c2e4a4a0e7bb4c3c47ca33ec0d0c377fa38e0ae498721062432648ebf060a10
Tags:NanoCore

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
AutoIt script contains suspicious strings
Binary is likely a compiled AutoIt script file
Contains functionality to inject code into remote processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Uses dynamic DNS services
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sleep loop found (likely to delay execution)
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • d4e475d7d17a16be8b9eeac6e10b25af.exe (PID: 576 cmdline: 'C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exe' MD5: 5162337B6FD4C8806EF62F6EBF4A5DF8)
    • RegAsm.exe (PID: 5656 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe MD5: 529695608EAFBED00ACA9E61EF333A7C)
  • DiagnosticsHub.StandardCollector.Service.exe.bat (PID: 5944 cmdline: 'C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat' MD5: F660ED54597E4FF5354B557329CAB70D)
    • RegAsm.exe (PID: 4332 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe MD5: 529695608EAFBED00ACA9E61EF333A7C)
  • dhcpmon.exe (PID: 5860 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
    • conhost.exe (PID: 3688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["255.255.255.255"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000003.255242846.0000000000FA4000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf34d:$x1: NanoCore.ClientPluginHost
  • 0xf38a:$x2: IClientNetworkHost
  • 0x12ebd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000002.00000003.255242846.0000000000FA4000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000002.00000003.255242846.0000000000FA4000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xf0b5:$a: NanoCore
    • 0xf0c5:$a: NanoCore
    • 0xf2f9:$a: NanoCore
    • 0xf30d:$a: NanoCore
    • 0xf34d:$a: NanoCore
    • 0xf114:$b: ClientPlugin
    • 0xf316:$b: ClientPlugin
    • 0xf356:$b: ClientPlugin
    • 0xf23b:$c: ProjectData
    • 0xfc42:$d: DESCrypto
    • 0x1760e:$e: KeepAlive
    • 0x155fc:$g: LogClientMessage
    • 0x117f7:$i: get_Connected
    • 0xff78:$j: #=q
    • 0xffa8:$j: #=q
    • 0xffc4:$j: #=q
    • 0xfff4:$j: #=q
    • 0x10010:$j: #=q
    • 0x1002c:$j: #=q
    • 0x1005c:$j: #=q
    • 0x10078:$j: #=q
    00000000.00000003.211542928.00000000038E2000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000003.211542928.00000000038E2000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 77 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        3.2.RegAsm.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 7 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ProcessId: 5656, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeAvira: detected
        Antivirus detection for dropped fileShow sources
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batAvira: detection malicious, Label: HEUR/AGEN.1100084
        Found malware configurationShow sources
        Source: RegAsm.exe.4332.3.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["255.255.255.255"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
        Multi AV Scanner detection for submitted fileShow sources
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeVirustotal: Detection: 66%Perma Link
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeMetadefender: Detection: 37%Perma Link
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeReversingLabs: Detection: 70%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000002.00000003.255242846.0000000000FA4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.211542928.00000000038E2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.209839006.00000000010BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.249609796.0000000000402000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.254683276.0000000001181000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.209991404.00000000010E7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.209808084.0000000001147000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.209532145.0000000001114000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231856687.000000000112F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.230915051.0000000001129000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231281467.0000000001180000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.230856862.00000000011B4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.254526561.00000000011E6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.254613953.00000000011B3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.254797061.0000000000F9F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231188805.0000000001154000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.250629843.0000000004451000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.210637735.000000000106B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.232736755.0000000000E62000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231305365.0000000001181000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231549555.00000000010FD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.250595233.0000000003451000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.210116902.00000000010E7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.210229940.0000000001114000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231711637.00000000010FD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 5944, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4332, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: d4e475d7d17a16be8b9eeac6e10b25af.exe PID: 576, type: MEMORY
        Source: Yara matchFile source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, type: UNPACKEDPE
        Source: 3.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_00424696 GetFileAttributesW,FindFirstFileW,FindClose,2_2_00424696
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_00423D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00423D4E
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_004245C1 FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,2_2_004245C1
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_0042C93C FindFirstFileW,FindClose,2_2_0042C93C
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_0042C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,2_2_0042C9C7
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_0042F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0042F200
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_0042F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0042F35D
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_0042F65E FindFirstFileW,Sleep,FindNextFileW,FindClose,2_2_0042F65E
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_00423A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00423A2B
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_0042BF27 FindFirstFileW,FindNextFileW,FindClose,2_2_0042BF27

        Networking:

        barindex
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: windowslivesoffice.ddns.net
        Source: Joe Sandbox ViewASN Name: COGENT-174US COGENT-174US
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_004325E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,2_2_004325E2
        Source: unknownDNS traffic detected: queries for: windowslivesoffice.ddns.net
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_0043425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,2_2_0043425A
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_0043425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,2_2_0043425A
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_00420219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,2_2_00420219
        Source: RegAsm.exe, 00000003.00000002.250629843.0000000004451000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_0044CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_0044CDAC

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000002.00000003.255242846.0000000000FA4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.211542928.00000000038E2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.209839006.00000000010BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.249609796.0000000000402000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.254683276.0000000001181000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.209991404.00000000010E7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.209808084.0000000001147000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.209532145.0000000001114000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231856687.000000000112F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.230915051.0000000001129000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231281467.0000000001180000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.230856862.00000000011B4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.254526561.00000000011E6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.254613953.00000000011B3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.254797061.0000000000F9F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231188805.0000000001154000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.250629843.0000000004451000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.210637735.000000000106B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.232736755.0000000000E62000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231305365.0000000001181000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231549555.00000000010FD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.250595233.0000000003451000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.210116902.00000000010E7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.210229940.0000000001114000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.231711637.00000000010FD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 5944, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4332, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: d4e475d7d17a16be8b9eeac6e10b25af.exe PID: 576, type: MEMORY
        Source: Yara matchFile source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000002.00000003.255242846.0000000000FA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000003.255242846.0000000000FA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.211542928.00000000038E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.211542928.00000000038E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.209839006.00000000010BD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.209839006.00000000010BD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.249609796.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000002.249609796.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000003.254683276.0000000001181000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000003.254683276.0000000001181000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.209991404.00000000010E7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.209991404.00000000010E7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.209808084.0000000001147000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.209808084.0000000001147000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.209532145.0000000001114000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.209532145.0000000001114000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000003.231856687.000000000112F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000003.231856687.000000000112F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000003.230915051.0000000001129000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000003.230915051.0000000001129000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000003.231281467.0000000001180000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000003.231281467.0000000001180000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000003.230856862.00000000011B4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000003.230856862.00000000011B4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000003.254526561.00000000011E6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000003.254526561.00000000011E6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000003.254613953.00000000011B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000003.254613953.00000000011B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000003.254797061.0000000000F9F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000003.254797061.0000000000F9F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000003.231188805.0000000001154000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000003.231188805.0000000001154000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.250629843.0000000004451000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.210637735.000000000106B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.210637735.000000000106B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000003.232736755.0000000000E62000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000003.232736755.0000000000E62000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000003.231305365.0000000001181000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000003.231305365.0000000001181000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000003.231549555.00000000010FD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000003.231549555.00000000010FD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.250595233.0000000003451000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.210116902.00000000010E7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.210116902.00000000010E7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.210229940.0000000001114000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.210229940.0000000001114000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000003.231711637.00000000010FD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000003.231711637.00000000010FD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 5944, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 5944, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RegAsm.exe PID: 4332, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: RegAsm.exe PID: 4332, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: d4e475d7d17a16be8b9eeac6e10b25af.exe PID: 576, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: d4e475d7d17a16be8b9eeac6e10b25af.exe PID: 576, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        AutoIt script contains suspicious stringsShow sources
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeAutoIt Script: 1 = 38669117 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeAutoIt Script: 792303 THEN LOCAL $LPSHELLCODE = $E ($B (ZVTZJDNXH
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drAutoIt Script: 1 = 38669117 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drAutoIt Script: 792303 THEN LOCAL $LPSHELLCODE = $E ($B (ZVTZJDNXH
        Binary is likely a compiled AutoIt script fileShow sources
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exe, 00000000.00000000.204952653.00000000009A5000.00000002.00020000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exe, 00000000.00000000.204952653.00000000009A5000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: This is a third-party compiled AutoIt script.2_2_003C3B4C
        Source: DiagnosticsHub.StandardCollector.Service.exe.batString found in binary or memory: This is a third-party compiled AutoIt script.
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat, 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeString found in binary or memory: This is a third-party compiled AutoIt script.
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_00424021: CreateFileW,DeviceIoControl,CloseHandle,2_2_00424021
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_00418858 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,2_2_00418858
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_0042545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_0042545F
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003E33C72_2_003E33C7
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003CFE402_2_003CFE40
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003E24052_2_003E2405
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003D44B62_2_003D44B6
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_004406652_2_00440665
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003F267E2_2_003F267E
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003E283A2_2_003E283A
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003D68432_2_003D6843
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003F89DF2_2_003F89DF
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_00440AE22_2_00440AE2
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003F6A942_2_003F6A94
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_00428B132_2_00428B13
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003ECD612_2_003ECD61
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003F70062_2_003F7006
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003D710E2_2_003D710E
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003D31902_2_003D3190
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003C12872_2_003C1287
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003EF4192_2_003EF419
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003E16C42_2_003E16C4
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003E1BB82_2_003E1BB8
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003F9D052_2_003F9D05
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003EBFE62_2_003EBFE6
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 2_2_003E1FD02_2_003E1FD0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_02FA2FA83_2_02FA2FA8
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_02FA23A03_2_02FA23A0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_02FA38503_2_02FA3850
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_02FA306F3_2_02FA306F
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: String function: 003C7F41 appears 35 times
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: String function: 003E8B40 appears 42 times
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: String function: 003E0D27 appears 70 times
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: d4e475d7d17a16be8b9eeac6e10b25af.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
        Source: 00000002.00000003.255242846.0000000000FA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000003.255242846.0000000000FA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.211542928.00000000038E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.211542928.00000000038E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.209839006.00000000010BD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.209839006.00000000010BD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.249609796.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.249609796.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000003.254683276.0000000001181000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000003.254683276.0000000001181000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.209991404.00000000010E7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.209991404.00000000010E7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.209808084.0000000001147000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.209808084.0000000001147000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.209532145.0000000001114000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.209532145.0000000001114000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000003.231856687.000000000112F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000003.231856687.000000000112F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000003.230915051.0000000001129000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000003.230915051.0000000001129000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000003.231281467.0000000001180000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000003.231281467.0000000001180000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000003.230856862.00000000011B4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000003.230856862.00000000011B4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000003.254526561.00000000011E6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000003.254526561.00000000011E6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000003.254613953.00000000011B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000003.254613953.00000000011B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000003.254797061.0000000000F9F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000003.254797061.0000000000F9F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000003.231188805.0000000001154000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000003.231188805.0000000001154000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.250629843.0000000004451000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.210637735.000000000106B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.210637735.000000000106B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000003.232736755.0000000000E62000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000003.232736755.0000000000E62000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000003.231305365.0000000001181000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000003.231305365.0000000001181000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000003.231549555.00000000010FD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000003.231549555.00000000010FD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.250595233.0000000003451000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.210116902.00000000010E7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.210116902.00000000010E7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.210229940.0000000001114000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.210229940.0000000001114000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000003.231711637.00000000010FD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000003.231711637.00000000010FD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014