Loading ...

Play interactive tourEdit tour

Analysis Report Scan002.exe.exe

Overview

General Information

Sample Name:Scan002.exe.exe
Analysis ID:338348
MD5:8e2315d05c47fefdddf0a686bf9e353e
SHA1:e56fe197d61518b5ea20696677c3fb444e39860e
SHA256:dd647e98e0bd3b1627a0385970c38cd046883967f39dbf9fe416d5300e8e310a
Tags:exeNanoCoreRATYahoo

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Conhost Parent Proces Executions
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Scan002.exe.exe (PID: 2960 cmdline: 'C:\Users\user\Desktop\Scan002.exe.exe' MD5: 8E2315D05C47FEFDDDF0A686BF9E353E)
    • schtasks.exe (PID: 4564 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp1945.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Scan002.exe.exe (PID: 4340 cmdline: {path} MD5: 8E2315D05C47FEFDDDF0A686BF9E353E)
      • schtasks.exe (PID: 4260 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8ED7.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 976 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp91C6.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Scan002.exe.exe (PID: 204 cmdline: C:\Users\user\Desktop\Scan002.exe.exe 0 MD5: 8E2315D05C47FEFDDDF0A686BF9E353E)
    • schtasks.exe (PID: 5876 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp414F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 2160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 6608 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp65AF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 6644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • dhcpmon.exe (PID: 6712 cmdline: {path} MD5: 8E2315D05C47FEFDDDF0A686BF9E353E)
        • dhcpmon.exe (PID: 6744 cmdline: {path} MD5: 8E2315D05C47FEFDDDF0A686BF9E353E)
        • dhcpmon.exe (PID: 6764 cmdline: {path} MD5: 8E2315D05C47FEFDDDF0A686BF9E353E)
    • Scan002.exe.exe (PID: 4260 cmdline: {path} MD5: 8E2315D05C47FEFDDDF0A686BF9E353E)
  • dhcpmon.exe (PID: 5396 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 8E2315D05C47FEFDDDF0A686BF9E353E)
  • dhcpmon.exe (PID: 2160 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 8E2315D05C47FEFDDDF0A686BF9E353E)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["172.111.249.15"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.274234683.0000000004167000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1d8595:$x1: NanoCore.ClientPluginHost
  • 0x1d85d2:$x2: IClientNetworkHost
  • 0x1dc105:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000A.00000002.274234683.0000000004167000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000A.00000002.274234683.0000000004167000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x1d82fd:$a: NanoCore
    • 0x1d830d:$a: NanoCore
    • 0x1d8541:$a: NanoCore
    • 0x1d8555:$a: NanoCore
    • 0x1d8595:$a: NanoCore
    • 0x1d835c:$b: ClientPlugin
    • 0x1d855e:$b: ClientPlugin
    • 0x1d859e:$b: ClientPlugin
    • 0x127a96:$c: ProjectData
    • 0x1d8483:$c: ProjectData
    • 0x128537:$d: DESCrypto
    • 0x1d8e8a:$d: DESCrypto
    • 0x1e0856:$e: KeepAlive
    • 0x1de844:$g: LogClientMessage
    • 0x1daa3f:$i: get_Connected
    • 0x1d91c0:$j: #=q
    • 0x1d91f0:$j: #=q
    • 0x1d920c:$j: #=q
    • 0x1d923c:$j: #=q
    • 0x1d9258:$j: #=q
    • 0x1d9274:$j: #=q
    0000000D.00000002.286646772.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0000000D.00000002.286646772.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 47 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      13.2.Scan002.exe.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      13.2.Scan002.exe.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      13.2.Scan002.exe.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        13.2.Scan002.exe.exe.400000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        3.2.Scan002.exe.exe.6220000.6.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xf7ad:$x1: NanoCore.ClientPluginHost
        • 0xf7da:$x2: IClientNetworkHost
        Click to see the 17 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Scan002.exe.exe, ProcessId: 4340, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp1945.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp1945.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Scan002.exe.exe' , ParentImage: C:\Users\user\Desktop\Scan002.exe.exe, ParentProcessId: 2960, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp1945.tmp', ProcessId: 4564
        Sigma detected: Conhost Parent Proces ExecutionsShow sources
        Source: Process startedAuthor: omkar72: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp65AF.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp65AF.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 2160, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp65AF.tmp', ProcessId: 6608

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: dhcpmon.exe.6764.27.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["172.111.249.15"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
        Multi AV Scanner detection for domain / URLShow sources
        Source: innocentbooii.hopto.orgVirustotal: Detection: 8%Perma Link
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000A.00000002.274234683.0000000004167000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.286646772.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.596528786.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.303779219.00000000047B7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.313206635.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.302951058.0000000004491000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.314650471.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.278150561.0000000004427000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.254700153.0000000003D97000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.314577877.00000000033B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.610027032.0000000006220000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.287850073.0000000002D11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6764, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Scan002.exe.exe PID: 4340, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Scan002.exe.exe PID: 4260, type: MEMORY
        Source: Yara matchFile source: 13.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.Scan002.exe.exe.6220000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.Scan002.exe.exe.6220000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\UbebSiSIKndjd.exeJoe Sandbox ML: detected
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: Scan002.exe.exeJoe Sandbox ML: detected
        Source: 3.2.Scan002.exe.exe.6220000.6.unpackAvira: Label: TR/NanoCore.fadte
        Source: 13.2.Scan002.exe.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 27.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.2.Scan002.exe.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: Scan002.exe.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: C:\Users\user\Desktop\Scan002.exe.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Source: Scan002.exe.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: Scan002.exe.exe, 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmp, Scan002.exe.exe, 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmp, dhcpmon.exe, 0000001B.00000002.314650471.00000000043B1000.00000004.00000001.sdmp
        Source: Binary string: mscorrc.pdb source: Scan002.exe.exe, 00000000.00000002.264377341.00000000067C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000003.00000002.609595214.0000000005F20000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.282247924.0000000006D60000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.277107575.0000000006B00000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.308220988.0000000007170000.00000002.00000001.sdmp
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_04BDAF98
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 4x nop then jmp 0667082Dh0_2_066707C8
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 4x nop then jmp 0667082Dh0_2_066707B8
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 4x nop then mov esp, ebp3_2_032D86B1
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h8_2_052AAF98
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h10_2_0504AF88

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorIPs: 172.111.249.15
        Source: Joe Sandbox ViewASN Name: AS45671-NET-AUWholesaleServicesProviderAU AS45671-NET-AUWholesaleServicesProviderAU
        Source: unknownDNS traffic detected: queries for: innocentbooii.hopto.org
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000000.00000003.227051250.0000000004EED000.00000004.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000000.00000003.236366761.0000000004EB6000.00000004.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: Scan002.exe.exe, 00000000.00000003.232966975.0000000004ECF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: Scan002.exe.exe, 00000000.00000003.235619449.0000000004EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlh
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: Scan002.exe.exe, 00000000.00000003.236366761.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerss
        Source: Scan002.exe.exe, 00000000.00000003.236366761.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
        Source: Scan002.exe.exe, 00000000.00000003.236366761.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFk/
        Source: Scan002.exe.exe, 00000000.00000003.236366761.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comN/
        Source: Scan002.exe.exe, 00000000.00000003.236366761.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comTTFY/
        Source: Scan002.exe.exe, 00000000.00000002.255981298.0000000004EB0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
        Source: Scan002.exe.exe, 00000000.00000003.236366761.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsa
        Source: Scan002.exe.exe, 00000000.00000003.236366761.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsd
        Source: Scan002.exe.exe, 00000000.00000002.255981298.0000000004EB0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcoma
        Source: Scan002.exe.exe, 00000000.00000003.226824848.0000000004EED000.00000004.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: Scan002.exe.exe, 00000000.00000003.226884104.0000000004EED000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com4
        Source: Scan002.exe.exe, 00000000.00000003.228394731.0000000004EC1000.00000004.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: Scan002.exe.exe, 00000000.00000003.229248591.0000000004EB4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: Scan002.exe.exe, 00000000.00000003.228156025.0000000004EB3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn8
        Source: Scan002.exe.exe, 00000000.00000003.228230964.0000000004EBE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnI
        Source: Scan002.exe.exe, 00000000.00000003.228156025.0000000004EB3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cne-di.
        Source: Scan002.exe.exe, 00000000.00000003.228156025.0000000004EB3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnoftA.
        Source: Scan002.exe.exe, 00000000.00000003.228156025.0000000004EB3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnorm
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: Scan002.exe.exe, 00000000.00000003.231098088.0000000004EB5000.00000004.00000001.sdmp, Scan002.exe.exe, 00000000.00000003.231221602.0000000004EB6000.00000004.00000001.sdmp, Scan002.exe.exe, 00000000.00000003.231280337.0000000004EB6000.00000004.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: Scan002.exe.exe, 00000000.00000003.231221602.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/40
        Source: Scan002.exe.exe, 00000000.00000003.231098088.0000000004EB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/G/
        Source: Scan002.exe.exe, 00000000.00000003.231280337.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/N/
        Source: Scan002.exe.exe, 00000000.00000003.231221602.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Pogr
        Source: Scan002.exe.exe, 00000000.00000003.231280337.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0P
        Source: Scan002.exe.exe, 00000000.00000003.231447812.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0Y/
        Source: Scan002.exe.exe, 00000000.00000003.231447812.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
        Source: Scan002.exe.exe, 00000000.00000003.231447812.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/k/
        Source: Scan002.exe.exe, 00000000.00000003.231098088.0000000004EB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/k/
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: Scan002.exe.exe, 00000000.00000003.229248591.0000000004EB4000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.
        Source: dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: Scan002.exe.exe, 00000000.00000003.236674676.0000000004ECF000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
        Source: Scan002.exe.exe, 00000000.00000003.232418765.0000000004ECF000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de2
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: Scan002.exe.exe, 00000000.00000003.232418765.0000000004ECF000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dei
        Source: Scan002.exe.exe, 00000000.00000003.232418765.0000000004ECF000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deod
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: Scan002.exe.exe, 00000000.00000002.251177607.0000000000AE9000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: Scan002.exe.exe, 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000A.00000002.274234683.0000000004167000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.286646772.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.596528786.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.303779219.00000000047B7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.313206635.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.302951058.0000000004491000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.314650471.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.278150561.0000000004427000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.254700153.0000000003D97000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.314577877.00000000033B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.610027032.0000000006220000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.287850073.0000000002D11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6764, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Scan002.exe.exe PID: 4340, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Scan002.exe.exe PID: 4260, type: MEMORY
        Source: Yara matchFile source: 13.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.Scan002.exe.exe.6220000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.Scan002.exe.exe.6220000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE

        Operating System Destruction:

        barindex
        Protects its processes via BreakOnTermination flagShow sources
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: 01 00 00 00 Jump to behavior

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 0000000A.00000002.274234683.0000000004167000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000A.00000002.274234683.0000000004167000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000002.286646772.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000D.00000002.286646772.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.596528786.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000002.596528786.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.609798776.0000000005F80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000002.303779219.00000000047B7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000002.303779219.00000000047B7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001B.00000002.313206635.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001B.00000002.313206635.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.609917775.00000000060D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000002.302951058.0000000004491000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000002.302951058.0000000004491000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001B.00000002.314650471.00000000043B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000002.278150561.0000000004427000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000002.278150561.0000000004427000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.254700153.0000000003D97000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.254700153.0000000003D97000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001B.00000002.314577877.00000000033B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.610027032.0000000006220000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000D.00000002.287850073.0000000002D11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6764, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6764, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Scan002.exe.exe PID: 4340, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Scan002.exe.exe PID: 4340, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Scan002.exe.exe PID: 4260, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Scan002.exe.exe PID: 4260, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.Scan002.exe.exe.6220000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.Scan002.exe.exe.6220000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.Scan002.exe.exe.5f80000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.Scan002.exe.exe.60d0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 3_2_03341622 NtSetInformationProcess,3_2_03341622
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 3_2_033418E6 NtQuerySystemInformation,3_2_033418E6
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 3_2_033418AB NtQuerySystemInformation,3_2_033418AB
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 3_2_033415F1 NtSetInformationProcess,3_2_033415F1
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_06CF1C9E NtQuerySystemInformation,8_2_06CF1C9E
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_06CF1C64 NtQuerySystemInformation,8_2_06CF1C64
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_04BDDA800_2_04BDDA80
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_04BDE2E00_2_04BDE2E0
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_04BDAF980_2_04BDAF98
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_04BDF5840_2_04BDF584
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_04BDB7780_2_04BDB778
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_04BDB4D00_2_04BDB4D0
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_04BDE2D00_2_04BDE2D0
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_04BDB4C10_2_04BDB4C1
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_04BDAF880_2_04BDAF88
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_04BDB7700_2_04BDB770
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_04BDDB400_2_04BDDB40
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_06677F750_2_06677F75
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_06677B250_2_06677B25
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_066707C80_2_066707C8
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_066707B80_2_066707B8
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_04BD3B3F0_2_04BD3B3F
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_04BD3B500_2_04BD3B50
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_04BD09500_2_04BD0950
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_04BD09410_2_04BD0941
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 3_2_032DB7483_2_032DB748
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 3_2_032D2FA83_2_032D2FA8
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 3_2_032D23A03_2_032D23A0
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 3_2_032D9A783_2_032D9A78
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 3_2_032D8E783_2_032D8E78
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 3_2_032D9B3F3_2_032D9B3F
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 3_2_032D306F3_2_032D306F
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_052AB7788_2_052AB778
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_052AF5848_2_052AF584
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_052AAF988_2_052AAF98
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_052ADA808_2_052ADA80
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_052AE2E08_2_052AE2E0
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_052AB76A8_2_052AB76A
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_052ADB408_2_052ADB40
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_052AE35C8_2_052AE35C
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_052AAF888_2_052AAF88
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_052AB4C18_2_052AB4C1
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_052AB4D08_2_052AB4D0
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_052AE2D08_2_052AE2D0
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_068A7B258_2_068A7B25
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_068A81348_2_068A8134
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_068A7F758_2_068A7F75
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_052A3B3F8_2_052A3B3F
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_052A09418_2_052A0941
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_052A09508_2_052A0950
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_052A3B508_2_052A3B50
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0504B77810_2_0504B778
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0504F58410_2_0504F584
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0504AF8810_2_0504AF88
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0504DA8010_2_0504DA80
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0504E2E010_2_0504E2E0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0504DB4010_2_0504DB40
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0504B4C110_2_0504B4C1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0504B4D010_2_0504B4D0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0504E2D010_2_0504E2D0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_06BF7B2510_2_06BF7B25
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_06BF7F7510_2_06BF7F75
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_05043B3F10_2_05043B3F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0504094110_2_05040941
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0504095010_2_05040950
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_05043B5010_2_05043B50
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 13_2_04F123A013_2_04F123A0
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 13_2_04F12FA813_2_04F12FA8
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 13_2_04F1385013_2_04F13850
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 13_2_04F1306F13_2_04F1306F
        Source: Scan002.exe.exeBinary or memory string: OriginalFilename vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000000.00000002.264686233.0000000006A60000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000000.00000002.264377341.00000000067C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000000.00000002.256132215.00000000050A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000000.00000002.267133655.00000000073B0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000000.00000002.267133655.00000000073B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000000.00000000.225279011.0000000000322000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameQ& vs Scan002.exe.exe
        Source: Scan002.exe.exeBinary or memory string: OriginalFilename vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000003.00000003.252025197.0000000001653000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameQ& vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000003.00000002.609798776.0000000005F80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoProtectClient.dllT vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000003.00000002.610681716.0000000006AE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000003.00000002.609595214.0000000005F20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000003.00000002.603697296.00000000015FA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000003.00000002.604453423.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Scan002.exe.exe
        Source: Scan002.exe.exeBinary or memory string: OriginalFilename vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000008.00000000.256183402.0000000000A02000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameQ& vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000008.00000002.282371680.0000000006DC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000008.00000002.282516385.0000000006E80000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000008.00000002.282516385.0000000006E80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000008.00000002.282247924.0000000006D60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000008.00000002.282968651.00000000072E0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Scan002.exe.exe
        Source: Scan002.exe.exeBinary or memory string: OriginalFilename vs Scan002.exe.exe
        Source: Scan002.exe.exe, 0000000D.00000002.288483394.0000000005020000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Scan002.exe.exe
        Source: Scan002.exe.exe, 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Scan002.exe.exe
        Source: Scan002.exe.exe, 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoProtectClient.dllT vs Scan002.exe.exe
        Source: Scan002.exe.exe, 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Scan002.exe.exe
        Source: Scan002.exe.exe, 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Scan002.exe.exe
        Source: Scan002.exe.exe, 0000000D.00000002.286701957.0000000000662000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameQ& vs Scan002.exe.exe
        Source: Scan002.exe.exeBinary or memory string: OriginalFilenameQ& vs Scan002.exe.exe
        Source: Scan002.exe.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 0000000A.00000002.274234683.0000000004167000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000A.00000002.274234683.0000000004167000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000002.286646772.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000D.00000002.286646772.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.596528786.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.596528786.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.609798776.0000000005F80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.609798776.0000000005F80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000F.00000002.303779219.00000000047B7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000002.303779219.00000000047B7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001B.00000002.313206635.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001B.00000002.313206635.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.609917775.00000000060D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.609917775.00000000060D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000F.00000002.302951058.0000000004491000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000002.302951058.0000000004491000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001B.00000002.314650471.00000000043B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000002.278150561.0000000004427000.00000004.00000001.sdmp, type: MEMORY