Play interactive tour

Edit tour

Analysis Report f908098a_by_Libranalysis

Overview

General Information

Sample Name:	f908098a_by_Libranalysis (renamed file extension from none to exe)
Analysis ID:	403331
MD5:	f908098af6b73a5ea4081a3474030196
SHA1:	7c92b17c6e2ede3e3bee94c41603795c93d53c89
SHA256:	aeb4339ff4e4d6f8249236e1280111324d84920c23a169cffc67577ab9f69217
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Nanocore RAT

.NET source code contains potential unpacker

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

Machine Learning detection for sample

Potential time zone aware malware

Binary contains a suspicious time stamp

Contains capabilities to detect virtual machines

Creates a process in suspended mode (likely to inject code)

Enables debug privileges

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Yara signature match

Classification

Startup

System is w10x64

f908098a_by_Libranalysis.exe (PID: 6652 cmdline: 'C:\Users\user\Desktop\f908098a_by_Libranalysis.exe' MD5: F908098AF6B73A5EA4081A3474030196)

backgroundTaskHost.exe (PID: 6724 cmdline: 'C:\Windows\system32\backgroundTaskHost.exe' -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca MD5: B7FC4A29431D4F795BBAB1FB182B759A)

cmd.exe (PID: 6948 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 7004 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

f908098a_by_Libranalysis.exe (PID: 7072 cmdline: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe MD5: F908098AF6B73A5EA4081A3474030196)

f908098a_by_Libranalysis.exe (PID: 7088 cmdline: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe MD5: F908098AF6B73A5EA4081A3474030196)

taskhostw.exe (PID: 7104 cmdline: taskhostw.exe None MD5: CE95E236FC9FE2D6F16C926C75B18BAF)

svchost.exe (PID: 7116 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

f908098a_by_Libranalysis.exe (PID: 7124 cmdline: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe MD5: F908098AF6B73A5EA4081A3474030196)

f908098a_by_Libranalysis.exe (PID: 2912 cmdline: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe MD5: F908098AF6B73A5EA4081A3474030196)

f908098a_by_Libranalysis.exe (PID: 4824 cmdline: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe MD5: F908098AF6B73A5EA4081A3474030196)

f908098a_by_Libranalysis.exe (PID: 6208 cmdline: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe MD5: F908098AF6B73A5EA4081A3474030196)

f908098a_by_Libranalysis.exe (PID: 6388 cmdline: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe MD5: F908098AF6B73A5EA4081A3474030196)

f908098a_by_Libranalysis.exe (PID: 6340 cmdline: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe MD5: F908098AF6B73A5EA4081A3474030196)

f908098a_by_Libranalysis.exe (PID: 6352 cmdline: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe MD5: F908098AF6B73A5EA4081A3474030196)

f908098a_by_Libranalysis.exe (PID: 5936 cmdline: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe MD5: F908098AF6B73A5EA4081A3474030196)

f908098a_by_Libranalysis.exe (PID: 5920 cmdline: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe MD5: F908098AF6B73A5EA4081A3474030196)

f908098a_by_Libranalysis.exe (PID: 5924 cmdline: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe MD5: F908098AF6B73A5EA4081A3474030196)

f908098a_by_Libranalysis.exe (PID: 5964 cmdline: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe MD5: F908098AF6B73A5EA4081A3474030196)

f908098a_by_Libranalysis.exe (PID: 5968 cmdline: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe MD5: F908098AF6B73A5EA4081A3474030196)

f908098a_by_Libranalysis.exe (PID: 5660 cmdline: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe MD5: F908098AF6B73A5EA4081A3474030196)

f908098a_by_Libranalysis.exe (PID: 6168 cmdline: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe MD5: F908098AF6B73A5EA4081A3474030196)

svchost.exe (PID: 6596 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

f908098a_by_Libranalysis.exe (PID: 6660 cmdline: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe MD5: F908098AF6B73A5EA4081A3474030196)

f908098a_by_Libranalysis.exe (PID: 6268 cmdline: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe MD5: F908098AF6B73A5EA4081A3474030196)

f908098a_by_Libranalysis.exe (PID: 6400 cmdline: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe MD5: F908098AF6B73A5EA4081A3474030196)

f908098a_by_Libranalysis.exe (PID: 6412 cmdline: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe MD5: F908098AF6B73A5EA4081A3474030196)

f908098a_by_Libranalysis.exe (PID: 6508 cmdline: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe MD5: F908098AF6B73A5EA4081A3474030196)

f908098a_by_Libranalysis.exe (PID: 6692 cmdline: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe MD5: F908098AF6B73A5EA4081A3474030196)

f908098a_by_Libranalysis.exe (PID: 7020 cmdline: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe MD5: F908098AF6B73A5EA4081A3474030196)

f908098a_by_Libranalysis.exe (PID: 7016 cmdline: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe MD5: F908098AF6B73A5EA4081A3474030196)

f908098a_by_Libranalysis.exe (PID: 6984 cmdline: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe MD5: F908098AF6B73A5EA4081A3474030196)

f908098a_by_Libranalysis.exe (PID: 7036 cmdline: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe MD5: F908098AF6B73A5EA4081A3474030196)

f908098a_by_Libranalysis.exe (PID: 4876 cmdline: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe MD5: F908098AF6B73A5EA4081A3474030196)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "b3bfe601-8f28-4397-a972-90d172cf", "Group": "Default", "Domain1": "fedex.itemdb.com", "Domain2": "uspslabel.itemdb.com", "Port": 1090, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000001F.00000002.746272772.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001F.00000002.746272772.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001F.00000002.746272772.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000E.00000002.708373051.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000002.708373051.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.708373051.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000013.00000002.721358453.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000013.00000002.721358453.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000002.721358453.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000016.00000002.727791408.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000016.00000002.727791408.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000016.00000002.727791408.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000021.00000002.748683152.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000021.00000002.748683152.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000021.00000002.748683152.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000B.00000002.701491869.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000002.701491869.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.701491869.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000C.00000002.703895880.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.703895880.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.703895880.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000027.00000002.762072262.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000027.00000002.762072262.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000027.00000002.762072262.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000F.00000002.711316230.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000F.00000002.711316230.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000F.00000002.711316230.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000001C.00000002.736073940.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001C.00000002.736073940.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001C.00000002.736073940.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000018.00000002.730062781.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000018.00000002.730062781.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000018.00000002.730062781.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000015.00000002.725332154.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000015.00000002.725332154.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000002.725332154.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000025.00000002.757220871.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000025.00000002.757220871.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000025.00000002.757220871.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000010.00000002.714383017.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000010.00000002.714383017.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.714383017.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000008.00000002.699198660.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000002.699198660.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000002.699198660.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000003.845726341.00000000071B2000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xefa5:$x1: NanoCore.ClientPluginHost 0x419e5:$x1: NanoCore.ClientPluginHost 0xefe2:$x2: IClientNetworkHost 0x41a22:$x2: IClientNetworkHost 0x12b15:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x45555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.845726341.00000000071B2000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.845726341.00000000071B2000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xed0d:$a: NanoCore 0xed1d:$a: NanoCore 0xef51:$a: NanoCore 0xef65:$a: NanoCore 0xefa5:$a: NanoCore 0x4174d:$a: NanoCore 0x4175d:$a: NanoCore 0x41991:$a: NanoCore 0x419a5:$a: NanoCore 0x419e5:$a: NanoCore 0xed6c:$b: ClientPlugin 0xef6e:$b: ClientPlugin 0xefae:$b: ClientPlugin 0x417ac:$b: ClientPlugin 0x419ae:$b: ClientPlugin 0x419ee:$b: ClientPlugin 0xee93:$c: ProjectData 0x418d3:$c: ProjectData 0xf89a:$d: DESCrypto 0x422da:$d: DESCrypto 0x17266:$e: KeepAlive
00000000.00000003.805194004.0000000004ACD000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x22935:$x1: NanoCore.ClientPluginHost 0x55375:$x1: NanoCore.ClientPluginHost 0x87db5:$x1: NanoCore.ClientPluginHost 0xba7f5:$x1: NanoCore.ClientPluginHost 0xed235:$x1: NanoCore.ClientPluginHost 0x11fc75:$x1: NanoCore.ClientPluginHost 0x1526b5:$x1: NanoCore.ClientPluginHost 0x1850f5:$x1: NanoCore.ClientPluginHost 0x1b7b35:$x1: NanoCore.ClientPluginHost 0x1ea575:$x1: NanoCore.ClientPluginHost 0x21cfb5:$x1: NanoCore.ClientPluginHost 0x24f9f5:$x1: NanoCore.ClientPluginHost 0x282435:$x1: NanoCore.ClientPluginHost 0x2b4e75:$x1: NanoCore.ClientPluginHost 0x22972:$x2: IClientNetworkHost 0x553b2:$x2: IClientNetworkHost 0x87df2:$x2: IClientNetworkHost 0xba832:$x2: IClientNetworkHost 0xed272:$x2: IClientNetworkHost 0x11fcb2:$x2: IClientNetworkHost 0x1526f2:$x2: IClientNetworkHost
00000000.00000003.805194004.0000000004ACD000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.805194004.0000000004ACD000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2269d:$a: NanoCore 0x226ad:$a: NanoCore 0x228e1:$a: NanoCore 0x228f5:$a: NanoCore 0x22935:$a: NanoCore 0x550dd:$a: NanoCore 0x550ed:$a: NanoCore 0x55321:$a: NanoCore 0x55335:$a: NanoCore 0x55375:$a: NanoCore 0x87b1d:$a: NanoCore 0x87b2d:$a: NanoCore 0x87d61:$a: NanoCore 0x87d75:$a: NanoCore 0x87db5:$a: NanoCore 0xba55d:$a: NanoCore 0xba56d:$a: NanoCore 0xba7a1:$a: NanoCore 0xba7b5:$a: NanoCore 0xba7f5:$a: NanoCore 0xecf9d:$a: NanoCore
00000011.00000002.716772680.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000011.00000002.716772680.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000011.00000002.716772680.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000D.00000002.706079579.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000D.00000002.706079579.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.706079579.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000003.891871365.0000000004ACD000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x22935:$x1: NanoCore.ClientPluginHost 0x55375:$x1: NanoCore.ClientPluginHost 0x6b595:$x1: NanoCore.ClientPluginHost 0x9dfd5:$x1: NanoCore.ClientPluginHost 0xd0a15:$x1: NanoCore.ClientPluginHost 0x103455:$x1: NanoCore.ClientPluginHost 0x135e95:$x1: NanoCore.ClientPluginHost 0x1688d5:$x1: NanoCore.ClientPluginHost 0x19b315:$x1: NanoCore.ClientPluginHost 0x1cdd55:$x1: NanoCore.ClientPluginHost 0x200795:$x1: NanoCore.ClientPluginHost 0x2331d5:$x1: NanoCore.ClientPluginHost 0x265c15:$x1: NanoCore.ClientPluginHost 0x298655:$x1: NanoCore.ClientPluginHost 0x2cb095:$x1: NanoCore.ClientPluginHost 0x22972:$x2: IClientNetworkHost 0x553b2:$x2: IClientNetworkHost 0x6b5d2:$x2: IClientNetworkHost 0x9e012:$x2: IClientNetworkHost 0xd0a52:$x2: IClientNetworkHost 0x103492:$x2: IClientNetworkHost
00000000.00000003.891871365.0000000004ACD000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.891871365.0000000004ACD000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2269d:$a: NanoCore 0x226ad:$a: NanoCore 0x228e1:$a: NanoCore 0x228f5:$a: NanoCore 0x22935:$a: NanoCore 0x550dd:$a: NanoCore 0x550ed:$a: NanoCore 0x55321:$a: NanoCore 0x55335:$a: NanoCore 0x55375:$a: NanoCore 0x6b2fd:$a: NanoCore 0x6b30d:$a: NanoCore 0x6b541:$a: NanoCore 0x6b555:$a: NanoCore 0x6b595:$a: NanoCore 0x9dd3d:$a: NanoCore 0x9dd4d:$a: NanoCore 0x9df81:$a: NanoCore 0x9df95:$a: NanoCore 0x9dfd5:$a: NanoCore 0xd077d:$a: NanoCore
00000012.00000002.718926424.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000012.00000002.718926424.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000012.00000002.718926424.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000001D.00000002.738600817.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001D.00000002.738600817.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001D.00000002.738600817.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000003.805655388.0000000005206000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x26325:$x1: NanoCore.ClientPluginHost 0x58d65:$x1: NanoCore.ClientPluginHost 0x8b7a5:$x1: NanoCore.ClientPluginHost 0x26362:$x2: IClientNetworkHost 0x58da2:$x2: IClientNetworkHost 0x8b7e2:$x2: IClientNetworkHost 0x29e95:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5c8d5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x8f315:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.805655388.0000000005206000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.805655388.0000000005206000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2608d:$a: NanoCore 0x2609d:$a: NanoCore 0x262d1:$a: NanoCore 0x262e5:$a: NanoCore 0x26325:$a: NanoCore 0x58acd:$a: NanoCore 0x58add:$a: NanoCore 0x58d11:$a: NanoCore 0x58d25:$a: NanoCore 0x58d65:$a: NanoCore 0x8b50d:$a: NanoCore 0x8b51d:$a: NanoCore 0x8b751:$a: NanoCore 0x8b765:$a: NanoCore 0x8b7a5:$a: NanoCore 0x260ec:$b: ClientPlugin 0x262ee:$b: ClientPlugin 0x2632e:$b: ClientPlugin 0x58b2c:$b: ClientPlugin 0x58d2e:$b: ClientPlugin 0x58d6e:$b: ClientPlugin
00000000.00000003.858964589.0000000004B49000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x21fd5:$x1: NanoCore.ClientPluginHost 0x54a15:$x1: NanoCore.ClientPluginHost 0x87455:$x1: NanoCore.ClientPluginHost 0xb9e95:$x1: NanoCore.ClientPluginHost 0xec8d5:$x1: NanoCore.ClientPluginHost 0x11f315:$x1: NanoCore.ClientPluginHost 0x151d55:$x1: NanoCore.ClientPluginHost 0x184795:$x1: NanoCore.ClientPluginHost 0x1b71d5:$x1: NanoCore.ClientPluginHost 0x1e9c15:$x1: NanoCore.ClientPluginHost 0x21c655:$x1: NanoCore.ClientPluginHost 0x24f095:$x1: NanoCore.ClientPluginHost 0x22012:$x2: IClientNetworkHost 0x54a52:$x2: IClientNetworkHost 0x87492:$x2: IClientNetworkHost 0xb9ed2:$x2: IClientNetworkHost 0xec912:$x2: IClientNetworkHost 0x11f352:$x2: IClientNetworkHost 0x151d92:$x2: IClientNetworkHost 0x1847d2:$x2: IClientNetworkHost 0x1b7212:$x2: IClientNetworkHost
00000000.00000003.858964589.0000000004B49000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.858964589.0000000004B49000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x21d3d:$a: NanoCore 0x21d4d:$a: NanoCore 0x21f81:$a: NanoCore 0x21f95:$a: NanoCore 0x21fd5:$a: NanoCore 0x5477d:$a: NanoCore 0x5478d:$a: NanoCore 0x549c1:$a: NanoCore 0x549d5:$a: NanoCore 0x54a15:$a: NanoCore 0x871bd:$a: NanoCore 0x871cd:$a: NanoCore 0x87401:$a: NanoCore 0x87415:$a: NanoCore 0x87455:$a: NanoCore 0xb9bfd:$a: NanoCore 0xb9c0d:$a: NanoCore 0xb9e41:$a: NanoCore 0xb9e55:$a: NanoCore 0xb9e95:$a: NanoCore 0xec63d:$a: NanoCore
00000000.00000003.818065172.0000000007C37000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1c105:$x1: NanoCore.ClientPluginHost 0x4eb45:$x1: NanoCore.ClientPluginHost 0x81585:$x1: NanoCore.ClientPluginHost 0xb3fc5:$x1: NanoCore.ClientPluginHost 0xe6a05:$x1: NanoCore.ClientPluginHost 0x119445:$x1: NanoCore.ClientPluginHost 0x14be85:$x1: NanoCore.ClientPluginHost 0x17e8c5:$x1: NanoCore.ClientPluginHost 0x1b1305:$x1: NanoCore.ClientPluginHost 0x1e3d45:$x1: NanoCore.ClientPluginHost 0x216785:$x1: NanoCore.ClientPluginHost 0x2491c5:$x1: NanoCore.ClientPluginHost 0x27bc05:$x1: NanoCore.ClientPluginHost 0x2ae645:$x1: NanoCore.ClientPluginHost 0x2e1085:$x1: NanoCore.ClientPluginHost 0x1c142:$x2: IClientNetworkHost 0x4eb82:$x2: IClientNetworkHost 0x815c2:$x2: IClientNetworkHost 0xb4002:$x2: IClientNetworkHost 0xe6a42:$x2: IClientNetworkHost 0x119482:$x2: IClientNetworkHost
00000000.00000003.818065172.0000000007C37000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.818065172.0000000007C37000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1be6d:$a: NanoCore 0x1be7d:$a: NanoCore 0x1c0b1:$a: NanoCore 0x1c0c5:$a: NanoCore 0x1c105:$a: NanoCore 0x4e8ad:$a: NanoCore 0x4e8bd:$a: NanoCore 0x4eaf1:$a: NanoCore 0x4eb05:$a: NanoCore 0x4eb45:$a: NanoCore 0x812ed:$a: NanoCore 0x812fd:$a: NanoCore 0x81531:$a: NanoCore 0x81545:$a: NanoCore 0x81585:$a: NanoCore 0xb3d2d:$a: NanoCore 0xb3d3d:$a: NanoCore 0xb3f71:$a: NanoCore 0xb3f85:$a: NanoCore 0xb3fc5:$a: NanoCore 0xe676d:$a: NanoCore
00000000.00000003.814590016.0000000007237000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5645:$x1: NanoCore.ClientPluginHost 0x38085:$x1: NanoCore.ClientPluginHost 0x6aac5:$x1: NanoCore.ClientPluginHost 0x9d505:$x1: NanoCore.ClientPluginHost 0xcff45:$x1: NanoCore.ClientPluginHost 0x102985:$x1: NanoCore.ClientPluginHost 0x1353c5:$x1: NanoCore.ClientPluginHost 0x167e05:$x1: NanoCore.ClientPluginHost 0x19a845:$x1: NanoCore.ClientPluginHost 0x1cd285:$x1: NanoCore.ClientPluginHost 0x1ffcc5:$x1: NanoCore.ClientPluginHost 0x232705:$x1: NanoCore.ClientPluginHost 0x265145:$x1: NanoCore.ClientPluginHost 0x297b85:$x1: NanoCore.ClientPluginHost 0x2ca5c5:$x1: NanoCore.ClientPluginHost 0x2fd005:$x1: NanoCore.ClientPluginHost 0x32fa45:$x1: NanoCore.ClientPluginHost 0x362485:$x1: NanoCore.ClientPluginHost 0x394ec5:$x1: NanoCore.ClientPluginHost 0x3c7905:$x1: NanoCore.ClientPluginHost 0x3fa345:$x1: NanoCore.ClientPluginHost
00000000.00000003.814590016.0000000007237000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.814590016.0000000007237000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x53ad:$a: NanoCore 0x53bd:$a: NanoCore 0x55f1:$a: NanoCore 0x5605:$a: NanoCore 0x5645:$a: NanoCore 0x37ded:$a: NanoCore 0x37dfd:$a: NanoCore 0x38031:$a: NanoCore 0x38045:$a: NanoCore 0x38085:$a: NanoCore 0x6a82d:$a: NanoCore 0x6a83d:$a: NanoCore 0x6aa71:$a: NanoCore 0x6aa85:$a: NanoCore 0x6aac5:$a: NanoCore 0x9d26d:$a: NanoCore 0x9d27d:$a: NanoCore 0x9d4b1:$a: NanoCore 0x9d4c5:$a: NanoCore 0x9d505:$a: NanoCore 0xcfcad:$a: NanoCore
Process Memory Space: f908098a_by_Libranalysis.exe PID: 7124	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x133112:$x1: NanoCore.ClientPluginHost 0x133173:$x2: IClientNetworkHost 0x138578:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1464ea:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: f908098a_by_Libranalysis.exe PID: 7124	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: f908098a_by_Libranalysis.exe PID: 7124	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x132c17:$a: NanoCore 0x132c33:$a: NanoCore 0x132d8e:$a: NanoCore 0x132d9d:$a: NanoCore 0x133076:$a: NanoCore 0x1330a2:$a: NanoCore 0x133112:$a: NanoCore 0x142b54:$a: NanoCore 0x142b66:$a: NanoCore 0x142ba2:$a: NanoCore 0x132cbe:$b: ClientPlugin 0x132de7:$b: ClientPlugin 0x1330ab:$b: ClientPlugin 0x13311b:$b: ClientPlugin 0x142b6f:$b: ClientPlugin 0x142bab:$b: ClientPlugin 0x132f34:$c: ProjectData 0x142aa1:$c: ProjectData 0x134070:$d: DESCrypto 0x1433ff:$d: DESCrypto 0x13e3fd:$e: KeepAlive
Process Memory Space: f908098a_by_Libranalysis.exe PID: 5936	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x11c2a3:$x1: NanoCore.ClientPluginHost 0x11c304:$x2: IClientNetworkHost 0x121709:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x12f67b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: f908098a_by_Libranalysis.exe PID: 5936	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: f908098a_by_Libranalysis.exe PID: 5936	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x11bda8:$a: NanoCore 0x11bdc4:$a: NanoCore 0x11bf1f:$a: NanoCore 0x11bf2e:$a: NanoCore 0x11c207:$a: NanoCore 0x11c233:$a: NanoCore 0x11c2a3:$a: NanoCore 0x12bce5:$a: NanoCore 0x12bcf7:$a: NanoCore 0x12bd33:$a: NanoCore 0x11be4f:$b: ClientPlugin 0x11bf78:$b: ClientPlugin 0x11c23c:$b: ClientPlugin 0x11c2ac:$b: ClientPlugin 0x12bd00:$b: ClientPlugin 0x12bd3c:$b: ClientPlugin 0x11c0c5:$c: ProjectData 0x12bc32:$c: ProjectData 0x11d201:$d: DESCrypto 0x12c590:$d: DESCrypto 0x12758e:$e: KeepAlive
Process Memory Space: f908098a_by_Libranalysis.exe PID: 2912	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x24ceb5:$x1: NanoCore.ClientPluginHost 0x24cf16:$x2: IClientNetworkHost 0x25231b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x26028d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: f908098a_by_Libranalysis.exe PID: 2912	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: f908098a_by_Libranalysis.exe PID: 2912	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24c9ba:$a: NanoCore 0x24c9d6:$a: NanoCore 0x24cb31:$a: NanoCore 0x24cb40:$a: NanoCore 0x24ce19:$a: NanoCore 0x24ce45:$a: NanoCore 0x24ceb5:$a: NanoCore 0x25c8f7:$a: NanoCore 0x25c909:$a: NanoCore 0x25c945:$a: NanoCore 0x24ca61:$b: ClientPlugin 0x24cb8a:$b: ClientPlugin 0x24ce4e:$b: ClientPlugin 0x24cebe:$b: ClientPlugin 0x25c912:$b: ClientPlugin 0x25c94e:$b: ClientPlugin 0x24ccd7:$c: ProjectData 0x25c844:$c: ProjectData 0x24de13:$d: DESCrypto 0x25d1a2:$d: DESCrypto 0x2581a0:$e: KeepAlive
Process Memory Space: f908098a_by_Libranalysis.exe PID: 5920	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x20cb:$x1: NanoCore.ClientPluginHost 0x212c:$x2: IClientNetworkHost 0x7531:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x154a3:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: f908098a_by_Libranalysis.exe PID: 5920	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: f908098a_by_Libranalysis.exe PID: 5920	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1bd0:$a: NanoCore 0x1bec:$a: NanoCore 0x1d47:$a: NanoCore 0x1d56:$a: NanoCore 0x202f:$a: NanoCore 0x205b:$a: NanoCore 0x20cb:$a: NanoCore 0x11b0d:$a: NanoCore 0x11b1f:$a: NanoCore 0x11b5b:$a: NanoCore 0x1c77:$b: ClientPlugin 0x1da0:$b: ClientPlugin 0x2064:$b: ClientPlugin 0x20d4:$b: ClientPlugin 0x11b28:$b: ClientPlugin 0x11b64:$b: ClientPlugin 0x1eed:$c: ProjectData 0x11a5a:$c: ProjectData 0x3029:$d: DESCrypto 0x123b8:$d: DESCrypto 0xd3b6:$e: KeepAlive
Process Memory Space: f908098a_by_Libranalysis.exe PID: 6208	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13197f:$x1: NanoCore.ClientPluginHost 0x1319e0:$x2: IClientNetworkHost 0x136de5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x144d57:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: f908098a_by_Libranalysis.exe PID: 6208	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: f908098a_by_Libranalysis.exe PID: 6208	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x131484:$a: NanoCore 0x1314a0:$a: NanoCore 0x1315fb:$a: NanoCore 0x13160a:$a: NanoCore 0x1318e3:$a: NanoCore 0x13190f:$a: NanoCore 0x13197f:$a: NanoCore 0x1413c1:$a: NanoCore 0x1413d3:$a: NanoCore 0x14140f:$a: NanoCore 0x13152b:$b: ClientPlugin 0x131654:$b: ClientPlugin 0x131918:$b: ClientPlugin 0x131988:$b: ClientPlugin 0x1413dc:$b: ClientPlugin 0x141418:$b: ClientPlugin 0x1317a1:$c: ProjectData 0x14130e:$c: ProjectData 0x1328dd:$d: DESCrypto 0x141c6c:$d: DESCrypto 0x13cc6a:$e: KeepAlive
Process Memory Space: f908098a_by_Libranalysis.exe PID: 6652	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd3fa:$x1: NanoCore.ClientPluginHost 0x2c369:$x1: NanoCore.ClientPluginHost 0x479c5:$x1: NanoCore.ClientPluginHost 0x66934:$x1: NanoCore.ClientPluginHost 0x858a3:$x1: NanoCore.ClientPluginHost 0xa4812:$x1: NanoCore.ClientPluginHost 0xc3781:$x1: NanoCore.ClientPluginHost 0xe26f0:$x1: NanoCore.ClientPluginHost 0x10165f:$x1: NanoCore.ClientPluginHost 0x1205ce:$x1: NanoCore.ClientPluginHost 0x13f53d:$x1: NanoCore.ClientPluginHost 0x15e4ac:$x1: NanoCore.ClientPluginHost 0x17d41b:$x1: NanoCore.ClientPluginHost 0x19c38a:$x1: NanoCore.ClientPluginHost 0x1bb2f9:$x1: NanoCore.ClientPluginHost 0x1ecaf9:$x1: NanoCore.ClientPluginHost 0x20ba68:$x1: NanoCore.ClientPluginHost 0x22a9d7:$x1: NanoCore.ClientPluginHost 0x249946:$x1: NanoCore.ClientPluginHost 0x2688b5:$x1: NanoCore.ClientPluginHost 0x287824:$x1: NanoCore.ClientPluginHost
Process Memory Space: f908098a_by_Libranalysis.exe PID: 6652	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: f908098a_by_Libranalysis.exe PID: 6652	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xceff:$a: NanoCore 0xcf1b:$a: NanoCore 0xd076:$a: NanoCore 0xd085:$a: NanoCore 0xd35e:$a: NanoCore 0xd38a:$a: NanoCore 0xd3fa:$a: NanoCore 0x1ce3c:$a: NanoCore 0x1ce4e:$a: NanoCore 0x1ce8a:$a: NanoCore 0x2be6e:$a: NanoCore 0x2be8a:$a: NanoCore 0x2bfe5:$a: NanoCore 0x2bff4:$a: NanoCore 0x2c2cd:$a: NanoCore 0x2c2f9:$a: NanoCore 0x2c369:$a: NanoCore 0x3bdab:$a: NanoCore 0x3bdbd:$a: NanoCore 0x3bdf9:$a: NanoCore 0x474ca:$a: NanoCore
Process Memory Space: f908098a_by_Libranalysis.exe PID: 7088	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x24b4a6:$x1: NanoCore.ClientPluginHost 0x24b507:$x2: IClientNetworkHost 0x25090c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x25e87e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: f908098a_by_Libranalysis.exe PID: 7088	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: f908098a_by_Libranalysis.exe PID: 7088	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24afab:$a: NanoCore 0x24afc7:$a: NanoCore 0x24b122:$a: NanoCore 0x24b131:$a: NanoCore 0x24b40a:$a: NanoCore 0x24b436:$a: NanoCore 0x24b4a6:$a: NanoCore 0x25aee8:$a: NanoCore 0x25aefa:$a: NanoCore 0x25af36:$a: NanoCore 0x24b052:$b: ClientPlugin 0x24b17b:$b: ClientPlugin 0x24b43f:$b: ClientPlugin 0x24b4af:$b: ClientPlugin 0x25af03:$b: ClientPlugin 0x25af3f:$b: ClientPlugin 0x24b2c8:$c: ProjectData 0x25ae35:$c: ProjectData 0x24c404:$d: DESCrypto 0x25b793:$d: DESCrypto 0x256791:$e: KeepAlive
Process Memory Space: f908098a_by_Libranalysis.exe PID: 4824	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x24c22e:$x1: NanoCore.ClientPluginHost 0x24c28f:$x2: IClientNetworkHost 0x251694:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x25f606:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: f908098a_by_Libranalysis.exe PID: 4824	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: f908098a_by_Libranalysis.exe PID: 4824	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24bd33:$a: NanoCore 0x24bd4f:$a: NanoCore 0x24beaa:$a: NanoCore 0x24beb9:$a: NanoCore 0x24c192:$a: NanoCore 0x24c1be:$a: NanoCore 0x24c22e:$a: NanoCore 0x25bc70:$a: NanoCore 0x25bc82:$a: NanoCore 0x25bcbe:$a: NanoCore 0x24bdda:$b: ClientPlugin 0x24bf03:$b: ClientPlugin 0x24c1c7:$b: ClientPlugin 0x24c237:$b: ClientPlugin 0x25bc8b:$b: ClientPlugin 0x25bcc7:$b: ClientPlugin 0x24c050:$c: ProjectData 0x25bbbd:$c: ProjectData 0x24d18c:$d: DESCrypto 0x25c51b:$d: DESCrypto 0x257519:$e: KeepAlive
Process Memory Space: f908098a_by_Libranalysis.exe PID: 6268	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x11c1b6:$x1: NanoCore.ClientPluginHost 0x11c217:$x2: IClientNetworkHost 0x12161c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x12f58e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: f908098a_by_Libranalysis.exe PID: 6268	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: f908098a_by_Libranalysis.exe PID: 6268	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x11bcbb:$a: NanoCore 0x11bcd7:$a: NanoCore 0x11be32:$a: NanoCore 0x11be41:$a: NanoCore 0x11c11a:$a: NanoCore 0x11c146:$a: NanoCore 0x11c1b6:$a: NanoCore 0x12bbf8:$a: NanoCore 0x12bc0a:$a: NanoCore 0x12bc46:$a: NanoCore 0x11bd62:$b: ClientPlugin 0x11be8b:$b: ClientPlugin 0x11c14f:$b: ClientPlugin 0x11c1bf:$b: ClientPlugin 0x12bc13:$b: ClientPlugin 0x12bc4f:$b: ClientPlugin 0x11bfd8:$c: ProjectData 0x12bb45:$c: ProjectData 0x11d114:$d: DESCrypto 0x12c4a3:$d: DESCrypto 0x1274a1:$e: KeepAlive
Click to see the 100 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
22.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
22.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
22.2.f908098a_by_Libranalysis.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.f908098a_by_Libranalysis.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
19.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
19.2.f908098a_by_Libranalysis.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.f908098a_by_Libranalysis.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
37.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
37.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
37.2.f908098a_by_Libranalysis.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
37.2.f908098a_by_Libranalysis.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
18.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
18.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
18.2.f908098a_by_Libranalysis.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.f908098a_by_Libranalysis.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
28.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
28.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
28.2.f908098a_by_Libranalysis.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
28.2.f908098a_by_Libranalysis.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
17.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
17.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
17.2.f908098a_by_Libranalysis.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
17.2.f908098a_by_Libranalysis.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
24.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
24.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
24.2.f908098a_by_Libranalysis.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
24.2.f908098a_by_Libranalysis.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
29.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
29.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
29.2.f908098a_by_Libranalysis.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
29.2.f908098a_by_Libranalysis.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
11.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
11.2.f908098a_by_Libranalysis.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.f908098a_by_Libranalysis.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
8.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
8.2.f908098a_by_Libranalysis.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.f908098a_by_Libranalysis.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
13.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
13.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
13.2.f908098a_by_Libranalysis.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.f908098a_by_Libranalysis.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
16.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
16.2.f908098a_by_Libranalysis.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.f908098a_by_Libranalysis.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
21.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
21.2.f908098a_by_Libranalysis.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.f908098a_by_Libranalysis.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
39.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
39.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
39.2.f908098a_by_Libranalysis.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
39.2.f908098a_by_Libranalysis.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
31.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
31.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
31.2.f908098a_by_Libranalysis.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
31.2.f908098a_by_Libranalysis.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
15.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
15.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
15.2.f908098a_by_Libranalysis.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.f908098a_by_Libranalysis.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.2.f908098a_by_Libranalysis.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.f908098a_by_Libranalysis.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
33.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
33.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
33.2.f908098a_by_Libranalysis.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
33.2.f908098a_by_Libranalysis.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
12.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.2.f908098a_by_Libranalysis.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.2.f908098a_by_Libranalysis.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.f908098a_by_Libranalysis.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
Click to see the 71 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 22.2.f908098a_by_Libranalysis.exe.400000.0.unpack

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "b3bfe601-8f28-4397-a972-90d172cf", "Group": "Default", "Domain1": "fedex.itemdb.com", "Domain2": "uspslabel.itemdb.com", "Port": 1090, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Multi AV Scanner detection for submitted file

Show sources

Source: f908098a_by_Libranalysis.exe	Virustotal: Detection: 30%			Perma Link
Source: f908098a_by_Libranalysis.exe	ReversingLabs: Detection: 31%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000001F.00000002.746272772.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.708373051.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.721358453.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.727791408.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.748683152.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.701491869.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.703895880.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.762072262.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.711316230.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.736073940.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.730062781.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.725332154.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.757220871.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.714383017.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.699198660.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.845726341.00000000071B2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.805194004.0000000004ACD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.716772680.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.706079579.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.891871365.0000000004ACD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.718926424.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.738600817.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.805655388.0000000005206000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.858964589.0000000004B49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.818065172.0000000007C37000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.814590016.0000000007237000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 7124, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 5936, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 2912, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 5920, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 6208, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 6652, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 7088, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 4824, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 6268, type: MEMORY
Source: Yara match	File source: 22.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: f908098a_by_Libranalysis.exe

Joe Sandbox ML: detected

Source: f908098a_by_Libranalysis.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\backgroundTaskHost.exe	File opened: C:\Windows\System32\TileDataRepository.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	File opened: C:\Windows\system32\Windows.StateRepository.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	File opened: C:\Windows\SYSTEM32\usermgrcli.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	File opened: C:\Windows\System32\Windows.StateRepositoryPS.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	File opened: C:\Windows\system32\StateRepository.Core.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	File opened: C:\Windows\System32\usermgrproxy.dll

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: uspslabel.itemdb.com
Source: Malware configuration extractor	URLs: fedex.itemdb.com

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000001F.00000002.746272772.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.708373051.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.721358453.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.727791408.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.748683152.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.701491869.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.703895880.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.762072262.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.711316230.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.736073940.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.730062781.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.725332154.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.757220871.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.714383017.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.699198660.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.845726341.00000000071B2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.805194004.0000000004ACD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.716772680.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.706079579.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.891871365.0000000004ACD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.718926424.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.738600817.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.805655388.0000000005206000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.858964589.0000000004B49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.818065172.0000000007C37000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.814590016.0000000007237000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 7124, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 5936, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 2912, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 5920, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 6208, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 6652, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 7088, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 4824, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 6268, type: MEMORY
Source: Yara match	File source: 22.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000001F.00000002.746272772.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001F.00000002.746272772.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.708373051.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.708373051.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.721358453.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.721358453.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.727791408.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.727791408.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.748683152.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000021.00000002.748683152.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.701491869.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.701491869.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.703895880.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.703895880.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000027.00000002.762072262.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000027.00000002.762072262.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.711316230.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.711316230.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.736073940.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001C.00000002.736073940.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000002.730062781.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000002.730062781.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.725332154.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000002.725332154.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000025.00000002.757220871.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000025.00000002.757220871.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.714383017.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.714383017.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.699198660.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.699198660.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.845726341.00000000071B2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.845726341.00000000071B2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.805194004.0000000004ACD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.805194004.0000000004ACD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.716772680.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000011.00000002.716772680.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.706079579.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.706079579.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.891871365.0000000004ACD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.891871365.0000000004ACD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.718926424.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.718926424.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001D.00000002.738600817.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001D.00000002.738600817.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.805655388.0000000005206000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.805655388.0000000005206000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.858964589.0000000004B49000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.858964589.0000000004B49000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.818065172.0000000007C37000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.818065172.0000000007C37000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.814590016.0000000007237000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.814590016.0000000007237000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 7124, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 7124, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 5936, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 5936, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 2912, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 2912, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 5920, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 5920, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 6208, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 6208, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 6652, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 6652, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 7088, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 7088, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 4824, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 4824, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 6268, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 6268, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 37.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 37.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 28.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 29.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 29.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 39.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 39.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 31.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 31.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 33.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

.NET source code contains very large strings

Show sources

Source: f908098a_by_Libranalysis.exe, ????????????????????????????????????????????????/??????????.cs	Long String: Length: 1151773
Source: 0.0.f908098a_by_Libranalysis.exe.d50000.0.unpack, ????????????????????????????????????????????????/??????????.cs	Long String: Length: 1151773
Source: 7.2.f908098a_by_Libranalysis.exe.2a0000.0.unpack, ????????????????????????????????????????????????/??????????.cs	Long String: Length: 1151773
Source: 7.0.f908098a_by_Libranalysis.exe.2a0000.0.unpack, ????????????????????????????????????????????????/??????????.cs	Long String: Length: 1151773
Source: 8.0.f908098a_by_Libranalysis.exe.6c0000.0.unpack, ????????????????????????????????????????????????/??????????.cs	Long String: Length: 1151773
Source: 8.2.f908098a_by_Libranalysis.exe.6c0000.1.unpack, ????????????????????????????????????????????????/??????????.cs	Long String: Length: 1151773
Source: 11.2.f908098a_by_Libranalysis.exe.f90000.1.unpack, ????????????????????????????????????????????????/??????????.cs	Long String: Length: 1151773
Source: 11.0.f908098a_by_Libranalysis.exe.f90000.0.unpack, ????????????????????????????????????????????????/??????????.cs	Long String: Length: 1151773
Source: 12.2.f908098a_by_Libranalysis.exe.f80000.1.unpack, ????????????????????????????????????????????????/??????????.cs	Long String: Length: 1151773
Source: 12.0.f908098a_by_Libranalysis.exe.f80000.0.unpack, ????????????????????????????????????????????????/??????????.cs	Long String: Length: 1151773
Source: 13.0.f908098a_by_Libranalysis.exe.ea0000.0.unpack, ????????????????????????????????????????????????/??????????.cs	Long String: Length: 1151773
Source: 13.2.f908098a_by_Libranalysis.exe.ea0000.1.unpack, ????????????????????????????????????????????????/??????????.cs	Long String: Length: 1151773
Source: 14.2.f908098a_by_Libranalysis.exe.e30000.1.unpack, ????????????????????????????????????????????????/??????????.cs	Long String: Length: 1151773
Source: 14.0.f908098a_by_Libranalysis.exe.e30000.0.unpack, ????????????????????????????????????????????????/??????????.cs	Long String: Length: 1151773
Source: 15.2.f908098a_by_Libranalysis.exe.b80000.1.unpack, ????????????????????????????????????????????????/??????????.cs	Long String: Length: 1151773
Source: 15.0.f908098a_by_Libranalysis.exe.b80000.0.unpack, ????????????????????????????????????????????????/??????????.cs	Long String: Length: 1151773
Source: 16.2.f908098a_by_Libranalysis.exe.600000.1.unpack, ????????????????????????????????????????????????/??????????.cs	Long String: Length: 1151773
Source: 16.0.f908098a_by_Libranalysis.exe.600000.0.unpack, ????????????????????????????????????????????????/??????????.cs	Long String: Length: 1151773
Source: 17.2.f908098a_by_Libranalysis.exe.a70000.1.unpack, ????????????????????????????????????????????????/??????????.cs	Long String: Length: 1151773

Source: f908098a_by_Libranalysis.exe, 00000000.00000003.891871365.0000000004ACD000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameTtUj Rdm.exe2 vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe, 00000000.00000000.673976619.0000000000D52000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirst.exe, vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe	Binary or memory string: OriginalFilename vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe, 00000007.00000000.696324245.00000000002A2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirst.exe, vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe	Binary or memory string: OriginalFilename vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe, 00000008.00000002.699238614.00000000006C2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirst.exe, vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe	Binary or memory string: OriginalFilename vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe, 0000000B.00000000.700650795.0000000000F92000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirst.exe, vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe	Binary or memory string: OriginalFilename vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe, 0000000C.00000002.703961942.0000000000F82000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirst.exe, vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe	Binary or memory string: OriginalFilename vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe, 0000000D.00000000.705268278.0000000000EA2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirst.exe, vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe	Binary or memory string: OriginalFilename vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe, 0000000E.00000002.708435337.0000000000E32000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirst.exe, vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe	Binary or memory string: OriginalFilename vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe, 0000000F.00000000.709949369.0000000000B82000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirst.exe, vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe, 00000010.00000002.714455206.0000000000602000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirst.exe, vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe, 00000011.00000000.715837458.0000000000A72000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirst.exe, vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe, 00000012.00000002.718980811.0000000000982000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirst.exe, vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe, 00000013.00000002.721470449.0000000000D32000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirst.exe, vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe, 00000014.00000002.723054234.0000000000152000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirst.exe, vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe, 00000015.00000000.724467032.0000000000762000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirst.exe, vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe, 00000016.00000002.727838186.0000000000CD2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirst.exe, vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe, 00000018.00000000.729151615.0000000000472000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirst.exe, vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe, 00000019.00000002.731766361.00000000003C2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirst.exe, vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe, 0000001B.00000002.733743224.0000000000302000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirst.exe, vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe, 0000001C.00000000.735042109.0000000000CE2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirst.exe, vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe, 0000001D.00000000.737828175.0000000000C92000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirst.exe, vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe, 0000001E.00000000.740798809.0000000000312000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirst.exe, vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe, 0000001F.00000000.745314165.0000000000BF2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirst.exe, vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe, 00000021.00000002.748765167.0000000000F52000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirst.exe, vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe, 00000022.00000002.751235446.00000000001B2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirst.exe, vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe, 00000024.00000000.752668364.00000000000C2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirst.exe, vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe, 00000025.00000000.754588800.0000000000F22000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirst.exe, vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe, 00000026.00000000.758516473.00000000002B2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirst.exe, vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe, 00000027.00000002.762246213.0000000000E32000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefirst.exe, vs f908098a_by_Libranalysis.exe
Source: f908098a_by_Libranalysis.exe	Binary or memory string: OriginalFilenamefirst.exe, vs f908098a_by_Libranalysis.exe

Source: 0000001F.00000002.746272772.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001F.00000002.746272772.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.708373051.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.708373051.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.721358453.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.721358453.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000016.00000002.727791408.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000016.00000002.727791408.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000021.00000002.748683152.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000021.00000002.748683152.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.701491869.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.701491869.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.703895880.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.703895880.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000027.00000002.762072262.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000027.00000002.762072262.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.711316230.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.711316230.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001C.00000002.736073940.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001C.00000002.736073940.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000002.730062781.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000002.730062781.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.725332154.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000002.725332154.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000025.00000002.757220871.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000025.00000002.757220871.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.714383017.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.714383017.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.699198660.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.699198660.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.845726341.00000000071B2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.845726341.00000000071B2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.805194004.0000000004ACD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.805194004.0000000004ACD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000002.716772680.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000011.00000002.716772680.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.706079579.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.706079579.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.891871365.0000000004ACD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.891871365.0000000004ACD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.718926424.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.718926424.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001D.00000002.738600817.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001D.00000002.738600817.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.805655388.0000000005206000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.805655388.0000000005206000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.858964589.0000000004B49000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.858964589.0000000004B49000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.818065172.0000000007C37000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.818065172.0000000007C37000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.814590016.0000000007237000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.814590016.0000000007237000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 7124, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 7124, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 5936, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 5936, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 2912, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 2912, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 5920, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 5920, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 6208, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 6208, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 6652, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 6652, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 7088, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 7088, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 4824, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 4824, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 6268, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 6268, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 22.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 37.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 37.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 37.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 18.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 28.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 28.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 29.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 29.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 39.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 39.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 39.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 31.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 31.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 31.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 33.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 33.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 33.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: 8.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 11.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 11.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 11.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: 16.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 15.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 15.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 17.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 17.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 13.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 8.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 8.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 11.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@261/0@0/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_01

Source: f908098a_by_Libranalysis.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: f908098a_by_Libranalysis.exe	Virustotal: Detection: 30%
Source: f908098a_by_Libranalysis.exe	ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe 'C:\Users\user\Desktop\f908098a_by_Libranalysis.exe'
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Windows\System32\backgroundTaskHost.exe 'C:\Windows\system32\backgroundTaskHost.exe' -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Windows\System32\taskhostw.exe taskhostw.exe None
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Windows\System32\taskhostw.exe taskhostw.exe None
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1

Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: f908098a_by_Libranalysis.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: f908098a_by_Libranalysis.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: f908098a_by_Libranalysis.exe

Static file information: File size 2311168 > 1048576

Source: f908098a_by_Libranalysis.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x233a00

Source: f908098a_by_Libranalysis.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 8.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: f908098a_by_Libranalysis.exe

Static PE information: 0xD93B9850 [Thu Jun 28 10:11:28 2085 UTC]

Source: 8.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 8.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 11.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 11.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 12.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 12.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 13.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 13.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 14.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 14.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 15.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 15.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 16.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 16.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 17.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 17.2.f908098a_by_Libranalysis.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Potential time zone aware malware

Show sources

Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe

System information queried: CurrentTimeZoneInformation

Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\backgroundTaskHost.exe	File opened: C:\Windows\System32\TileDataRepository.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	File opened: C:\Windows\system32\Windows.StateRepository.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	File opened: C:\Windows\SYSTEM32\usermgrcli.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	File opened: C:\Windows\System32\Windows.StateRepositoryPS.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	File opened: C:\Windows\system32\StateRepository.Core.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	File opened: C:\Windows\System32\usermgrproxy.dll

Source: svchost.exe, 0000000A.00000002.712688032.0000015BD0B40000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.752259578.0000028532C80000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 0000000A.00000002.712688032.0000015BD0B40000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.752259578.0000028532C80000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 0000000A.00000002.712688032.0000015BD0B40000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.752259578.0000028532C80000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 0000000A.00000002.712688032.0000015BD0B40000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.752259578.0000028532C80000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe

Process information queried: ProcessInformation

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe

Process token adjusted: Debug

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Windows\System32\taskhostw.exe taskhostw.exe None
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1

Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Queries volume information: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe VolumeInformation
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Users\user\Desktop\f908098a_by_Libranalysis.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000001F.00000002.746272772.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.708373051.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.721358453.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.727791408.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.748683152.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.701491869.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.703895880.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.762072262.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.711316230.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.736073940.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.730062781.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.725332154.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.757220871.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.714383017.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.699198660.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.845726341.00000000071B2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.805194004.0000000004ACD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.716772680.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.706079579.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.891871365.0000000004ACD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.718926424.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.738600817.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.805655388.0000000005206000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.858964589.0000000004B49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.818065172.0000000007C37000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.814590016.0000000007237000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 7124, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 5936, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 2912, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 5920, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 6208, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 6652, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 7088, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 4824, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 6268, type: MEMORY
Source: Yara match	File source: 22.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: f908098a_by_Libranalysis.exe, 00000000.00000003.891871365.0000000004ACD000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: f908098a_by_Libranalysis.exe, 00000008.00000002.699198660.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: f908098a_by_Libranalysis.exe, 0000000B.00000002.701491869.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: f908098a_by_Libranalysis.exe, 0000000C.00000002.703895880.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: f908098a_by_Libranalysis.exe, 0000000D.00000002.706079579.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: f908098a_by_Libranalysis.exe, 0000000E.00000002.708373051.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: f908098a_by_Libranalysis.exe, 0000000F.00000002.711316230.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: f908098a_by_Libranalysis.exe, 00000010.00000002.714383017.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: f908098a_by_Libranalysis.exe, 00000011.00000002.716772680.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: f908098a_by_Libranalysis.exe, 00000012.00000002.718926424.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: f908098a_by_Libranalysis.exe, 00000013.00000002.721358453.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: f908098a_by_Libranalysis.exe, 00000015.00000002.725332154.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: f908098a_by_Libranalysis.exe, 00000016.00000002.727791408.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: f908098a_by_Libranalysis.exe, 00000018.00000002.730062781.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: f908098a_by_Libranalysis.exe, 0000001C.00000002.736073940.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: f908098a_by_Libranalysis.exe, 0000001D.00000002.738600817.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: f908098a_by_Libranalysis.exe, 0000001F.00000002.746272772.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: f908098a_by_Libranalysis.exe, 00000021.00000002.748683152.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: f908098a_by_Libranalysis.exe, 00000025.00000002.757220871.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: f908098a_by_Libranalysis.exe, 00000027.00000002.762072262.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000001F.00000002.746272772.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.708373051.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.721358453.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.727791408.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.748683152.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.701491869.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.703895880.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.762072262.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.711316230.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.736073940.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.730062781.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.725332154.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.757220871.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.714383017.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.699198660.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.845726341.00000000071B2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.805194004.0000000004ACD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.716772680.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.706079579.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.891871365.0000000004ACD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.718926424.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.738600817.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.805655388.0000000005206000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.858964589.0000000004B49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.818065172.0000000007C37000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.814590016.0000000007237000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 7124, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 5936, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 2912, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 5920, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 6208, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 6652, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 7088, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 4824, type: MEMORY
Source: Yara match	File source: Process Memory Space: f908098a_by_Libranalysis.exe PID: 6268, type: MEMORY
Source: Yara match	File source: 22.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.f908098a_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection11	Virtualization/Sandbox Evasion11	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Remote Access Software1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Security Software Discovery111	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection11	Security Account Manager	Virtualization/Sandbox Evasion11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	File and Directory Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Timestomp1	Cached Domain Credentials	System Information Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
f908098a_by_Libranalysis.exe	30%	Virustotal	Browse
f908098a_by_Libranalysis.exe	32%	ReversingLabs
f908098a_by_Libranalysis.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
22.2.f908098a_by_Libranalysis.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
18.2.f908098a_by_Libranalysis.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
37.2.f908098a_by_Libranalysis.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
17.2.f908098a_by_Libranalysis.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
19.2.f908098a_by_Libranalysis.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
28.2.f908098a_by_Libranalysis.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
24.2.f908098a_by_Libranalysis.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
11.2.f908098a_by_Libranalysis.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
29.2.f908098a_by_Libranalysis.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
13.2.f908098a_by_Libranalysis.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
8.2.f908098a_by_Libranalysis.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
39.2.f908098a_by_Libranalysis.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
16.2.f908098a_by_Libranalysis.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
21.2.f908098a_by_Libranalysis.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
31.2.f908098a_by_Libranalysis.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
15.2.f908098a_by_Libranalysis.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
14.2.f908098a_by_Libranalysis.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
33.2.f908098a_by_Libranalysis.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
12.2.f908098a_by_Libranalysis.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
fedex.itemdb.com	3%	Virustotal		Browse
fedex.itemdb.com	0%	Avira URL Cloud	safe
uspslabel.itemdb.com	1%	Virustotal		Browse
uspslabel.itemdb.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
fedex.itemdb.com	true	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
uspslabel.itemdb.com	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	403331
Start date:	04.05.2021
Start time:	03:39:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 38s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	f908098a_by_Libranalysis (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@261/0@0/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found. Report size getting too big, too many NtWriteVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	2.5846346250292926
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	f908098a_by_Libranalysis.exe
File size:	2311168
MD5:	f908098af6b73a5ea4081a3474030196
SHA1:	7c92b17c6e2ede3e3bee94c41603795c93d53c89
SHA256:	aeb4339ff4e4d6f8249236e1280111324d84920c23a169cffc67577ab9f69217
SHA512:	de7957ec6b9189692c239e7198736259f755f5e2d7b881cd5f8c56aff8755686e0ee6bd7ac1cf147474c31a8994088fbefd4f54a576316c42c8020e6df4eb9f1
SSDEEP:	1536:6cvkyC4QOoyJ+e6LlKK6Prm6P/T6jAnJ6RIB6P9J/e6LoB7/s6/nYBew18hZEMGd:Bm
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P.;..........."...0..:#.........~Y#.. ...`#...@.. ........................#...........@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x63597e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0xD93B9850 [Thu Jun 28 10:11:28 2085 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x235930	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x236000	0x588	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x238000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x233984	0x233a00	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x236000	0x588	0x600	False	0.412760416667	data	4.01111930109	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x238000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x2360a0	0x2fc	data
RT_MANIFEST	0x23639c	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2021
Assembly Version	1.0.0.0
InternalName	first.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	first
ProductVersion	1.0.0.0
FileDescription	first
OriginalFilename	first.exe

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: f908098a_by_Libranalysis.exe PID: 6652 Parent PID: 5812

General

Start time:	03:40:11
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\f908098a_by_Libranalysis.exe'
Imagebase:	0xd50000
File size:	2311168 bytes
MD5 hash:	F908098AF6B73A5EA4081A3474030196
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.845726341.00000000071B2000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.845726341.00000000071B2000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.845726341.00000000071B2000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.805194004.0000000004ACD000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.805194004.0000000004ACD000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.805194004.0000000004ACD000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.891871365.0000000004ACD000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.891871365.0000000004ACD000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.891871365.0000000004ACD000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.805655388.0000000005206000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.805655388.0000000005206000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.805655388.0000000005206000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.858964589.0000000004B49000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.858964589.0000000004B49000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.858964589.0000000004B49000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.818065172.0000000007C37000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.818065172.0000000007C37000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.818065172.0000000007C37000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.814590016.0000000007237000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.814590016.0000000007237000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.814590016.0000000007237000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: backgroundTaskHost.exe PID: 6724 Parent PID: 800

General

Start time:	03:40:13
Start date:	04/05/2021
Path:	C:\Windows\System32\backgroundTaskHost.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\backgroundTaskHost.exe' -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
Imagebase:	0x7ff732050000
File size:	19352 bytes
MD5 hash:	B7FC4A29431D4F795BBAB1FB182B759A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: cmd.exe PID: 6948 Parent PID: 6652

General

Start time:	03:40:18
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c timeout 1
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6964 Parent PID: 6948

General

Start time:	03:40:18
Start date:	04/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: timeout.exe PID: 7004 Parent PID: 6948

General

Start time:	03:40:19
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 1
Imagebase:	0xb70000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: f908098a_by_Libranalysis.exe PID: 7072 Parent PID: 6652

General

Start time:	03:40:22
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Imagebase:	0x2a0000
File size:	2311168 bytes
MD5 hash:	F908098AF6B73A5EA4081A3474030196
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: f908098a_by_Libranalysis.exe PID: 7088 Parent PID: 6652

General

Start time:	03:40:23
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Imagebase:	0x6c0000
File size:	2311168 bytes
MD5 hash:	F908098AF6B73A5EA4081A3474030196
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.699198660.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.699198660.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000002.699198660.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: taskhostw.exe PID: 7104 Parent PID: 968

General

Start time:	03:40:23
Start date:	04/05/2021
Path:	C:\Windows\System32\taskhostw.exe
Wow64 process (32bit):	false
Commandline:	taskhostw.exe None
Imagebase:	0x7ff73c340000
File size:	87904 bytes
MD5 hash:	CE95E236FC9FE2D6F16C926C75B18BAF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: svchost.exe PID: 7116 Parent PID: 568

General

Start time:	03:40:23
Start date:	04/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: f908098a_by_Libranalysis.exe PID: 7124 Parent PID: 6652

General

Start time:	03:40:24
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Imagebase:	0xf90000
File size:	2311168 bytes
MD5 hash:	F908098AF6B73A5EA4081A3474030196
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.701491869.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.701491869.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.701491869.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: f908098a_by_Libranalysis.exe PID: 2912 Parent PID: 6652

General

Start time:	03:40:25
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Imagebase:	0xf80000
File size:	2311168 bytes
MD5 hash:	F908098AF6B73A5EA4081A3474030196
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.703895880.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.703895880.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.703895880.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: f908098a_by_Libranalysis.exe PID: 4824 Parent PID: 6652

General

Start time:	03:40:26
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Imagebase:	0xea0000
File size:	2311168 bytes
MD5 hash:	F908098AF6B73A5EA4081A3474030196
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.706079579.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.706079579.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.706079579.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: f908098a_by_Libranalysis.exe PID: 6208 Parent PID: 6652

General

Start time:	03:40:27
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Imagebase:	0xe30000
File size:	2311168 bytes
MD5 hash:	F908098AF6B73A5EA4081A3474030196
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.708373051.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.708373051.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.708373051.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: f908098a_by_Libranalysis.exe PID: 6388 Parent PID: 6652

General

Start time:	03:40:28
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Imagebase:	0xb80000
File size:	2311168 bytes
MD5 hash:	F908098AF6B73A5EA4081A3474030196
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.711316230.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.711316230.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.711316230.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: f908098a_by_Libranalysis.exe PID: 6340 Parent PID: 6652

General

Start time:	03:40:29
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Imagebase:	0x600000
File size:	2311168 bytes
MD5 hash:	F908098AF6B73A5EA4081A3474030196
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.714383017.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.714383017.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000002.714383017.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: f908098a_by_Libranalysis.exe PID: 6352 Parent PID: 6652

General

Start time:	03:40:31
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Imagebase:	0xa70000
File size:	2311168 bytes
MD5 hash:	F908098AF6B73A5EA4081A3474030196
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.716772680.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.716772680.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000011.00000002.716772680.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: f908098a_by_Libranalysis.exe PID: 5936 Parent PID: 6652

General

Start time:	03:40:32
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Imagebase:	0x980000
File size:	2311168 bytes
MD5 hash:	F908098AF6B73A5EA4081A3474030196
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.718926424.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.718926424.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000012.00000002.718926424.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: f908098a_by_Libranalysis.exe PID: 5920 Parent PID: 6652

General

Start time:	03:40:33
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Imagebase:	0xd30000
File size:	2311168 bytes
MD5 hash:	F908098AF6B73A5EA4081A3474030196
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.721358453.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.721358453.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000013.00000002.721358453.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: f908098a_by_Libranalysis.exe PID: 5924 Parent PID: 6652

General

Start time:	03:40:34
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Imagebase:	0x150000
File size:	2311168 bytes
MD5 hash:	F908098AF6B73A5EA4081A3474030196
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: f908098a_by_Libranalysis.exe PID: 5964 Parent PID: 6652

General

Start time:	03:40:35
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Imagebase:	0x760000
File size:	2311168 bytes
MD5 hash:	F908098AF6B73A5EA4081A3474030196
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.725332154.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.725332154.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000015.00000002.725332154.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: f908098a_by_Libranalysis.exe PID: 5968 Parent PID: 6652

General

Start time:	03:40:36
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Imagebase:	0xcd0000
File size:	2311168 bytes
MD5 hash:	F908098AF6B73A5EA4081A3474030196
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000002.727791408.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.727791408.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000016.00000002.727791408.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: f908098a_by_Libranalysis.exe PID: 5660 Parent PID: 6652

General

Start time:	03:40:37
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Imagebase:	0x470000
File size:	2311168 bytes
MD5 hash:	F908098AF6B73A5EA4081A3474030196
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000018.00000002.730062781.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.730062781.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000018.00000002.730062781.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: f908098a_by_Libranalysis.exe PID: 6168 Parent PID: 6652

General

Start time:	03:40:38
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Imagebase:	0x3c0000
File size:	2311168 bytes
MD5 hash:	F908098AF6B73A5EA4081A3474030196
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: svchost.exe PID: 6596 Parent PID: 568

General

Start time:	03:40:38
Start date:	04/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: f908098a_by_Libranalysis.exe PID: 6660 Parent PID: 6652

General

Start time:	03:40:39
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Imagebase:	0x300000
File size:	2311168 bytes
MD5 hash:	F908098AF6B73A5EA4081A3474030196
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: f908098a_by_Libranalysis.exe PID: 6268 Parent PID: 6652

General

Start time:	03:40:40
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Imagebase:	0xce0000
File size:	2311168 bytes
MD5 hash:	F908098AF6B73A5EA4081A3474030196
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001C.00000002.736073940.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000002.736073940.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001C.00000002.736073940.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: f908098a_by_Libranalysis.exe PID: 6400 Parent PID: 6652

General

Start time:	03:40:41
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Imagebase:	0xc90000
File size:	2311168 bytes
MD5 hash:	F908098AF6B73A5EA4081A3474030196
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000002.738600817.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000002.738600817.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001D.00000002.738600817.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: f908098a_by_Libranalysis.exe PID: 6412 Parent PID: 6652

General

Start time:	03:40:42
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Imagebase:	0x310000
File size:	2311168 bytes
MD5 hash:	F908098AF6B73A5EA4081A3474030196
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: f908098a_by_Libranalysis.exe PID: 6508 Parent PID: 6652

General

Start time:	03:40:45
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Imagebase:	0xbf0000
File size:	2311168 bytes
MD5 hash:	F908098AF6B73A5EA4081A3474030196
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001F.00000002.746272772.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001F.00000002.746272772.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001F.00000002.746272772.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Analysis Process: f908098a_by_Libranalysis.exe PID: 6692 Parent PID: 6652

General

Start time:	03:40:46
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Imagebase:	0xf50000
File size:	2311168 bytes
MD5 hash:	F908098AF6B73A5EA4081A3474030196
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000021.00000002.748683152.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000021.00000002.748683152.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000021.00000002.748683152.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Analysis Process: f908098a_by_Libranalysis.exe PID: 7020 Parent PID: 6652

General

Start time:	03:40:47
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Imagebase:	0x1b0000
File size:	2311168 bytes
MD5 hash:	F908098AF6B73A5EA4081A3474030196
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: f908098a_by_Libranalysis.exe PID: 7016 Parent PID: 6652

General

Start time:	03:40:48
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Imagebase:	0xc0000
File size:	2311168 bytes
MD5 hash:	F908098AF6B73A5EA4081A3474030196
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: f908098a_by_Libranalysis.exe PID: 6984 Parent PID: 6652

General

Start time:	03:40:49
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Imagebase:	0xf20000
File size:	2311168 bytes
MD5 hash:	F908098AF6B73A5EA4081A3474030196
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000025.00000002.757220871.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000025.00000002.757220871.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000025.00000002.757220871.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Analysis Process: f908098a_by_Libranalysis.exe PID: 7036 Parent PID: 6652

General

Start time:	03:40:51
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Imagebase:	0x2b0000
File size:	2311168 bytes
MD5 hash:	F908098AF6B73A5EA4081A3474030196
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: f908098a_by_Libranalysis.exe PID: 4876 Parent PID: 6652

General

Start time:	03:40:52
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\f908098a_by_Libranalysis.exe
Imagebase:	0xe30000
File size:	2311168 bytes
MD5 hash:	F908098AF6B73A5EA4081A3474030196
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000027.00000002.762072262.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000027.00000002.762072262.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000027.00000002.762072262.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report f908098a_by_Libranalysis

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: f908098a_by_Libranalysis.exe PID: 6652 Parent PID: 5812

General

Analysis Process: backgroundTaskHost.exe PID: 6724 Parent PID: 800