Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
G62PnhPS1s.exe

Overview

General Information

Sample Name:G62PnhPS1s.exe
Analysis ID:714139
MD5:07653fd9f64401f9f1696f4782c926f4
SHA1:aed898c8d28306aa28785004252b81144bb73676
SHA256:34915a0eded4e59cfd552ae7724e99584ec58f24b8a562fd90aa6dcb9397a019
Tags:exeNanoCoreRAT
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Detected Nanocore Rat
Antivirus / Scanner detection for submitted sample
Sigma detected: Scheduled temp file as task from temp location
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Snort IDS alert for network traffic
Hides threads from debuggers
Tries to detect sandboxes and other dynamic analysis tools (window names)
Machine Learning detection for sample
.NET source code contains potential unpacker
PE file has nameless sections
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks for debuggers (devices)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • G62PnhPS1s.exe (PID: 5512 cmdline: C:\Users\user\Desktop\G62PnhPS1s.exe MD5: 07653FD9F64401F9F1696F4782C926F4)
    • schtasks.exe (PID: 5552 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpF33C.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 5604 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpF531.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • G62PnhPS1s.exe (PID: 5688 cmdline: C:\Users\user\Desktop\G62PnhPS1s.exe 0 MD5: 07653FD9F64401F9F1696F4782C926F4)
  • dhcpmon.exe (PID: 5708 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: 07653FD9F64401F9F1696F4782C926F4)
  • dhcpmon.exe (PID: 5816 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 07653FD9F64401F9F1696F4782C926F4)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
G62PnhPS1s.exeSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
  • 0x12e8ed:$s1: \x02\x1E\x1E\x1APEE
SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
  • 0x12e8ed:$s1: \x02\x1E\x1E\x1APEE
SourceRuleDescriptionAuthorStrings
00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf7ad:$x1: NanoCore.ClientPluginHost
  • 0xf7da:$x2: IClientNetworkHost
00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xf7ad:$x2: NanoCore.ClientPluginHost
  • 0x10888:$s4: PipeCreated
  • 0xf7c7:$s5: IClientLoggingHost
00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmpMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
    • 0xf778:$x2: NanoCore.ClientPlugin
    • 0xf7ad:$x3: NanoCore.ClientPluginHost
    • 0xf76c:$i2: IClientData
    • 0xf78e:$i3: IClientNetwork
    • 0xf79d:$i5: IClientDataHost
    • 0xf7c7:$i6: IClientLoggingHost
    • 0xf7da:$i7: IClientNetworkHost
    • 0xf7ed:$i8: IClientUIHost
    • 0xf7fb:$i9: IClientNameObjectCollection
    • 0xf817:$i10: IClientReadOnlyNameObjectCollection
    • 0xf56a:$s1: ClientPlugin
    • 0xf781:$s1: ClientPlugin
    • 0x147a2:$s6: get_ClientSettings
    00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmpWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
    • 0xf7ad:$a1: NanoCore.ClientPluginHost
    • 0xf778:$a2: NanoCore.ClientPlugin
    • 0x146f3:$b1: get_BuilderSettings
    • 0x14662:$b7: LogClientException
    • 0xf7c7:$b9: IClientLoggingHost
    Click to see the 24 entries
    SourceRuleDescriptionAuthorStrings
    0.2.G62PnhPS1s.exe.5d64629.5.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xb184:$x1: NanoCore.ClientPluginHost
    • 0xb1b1:$x2: IClientNetworkHost
    0.2.G62PnhPS1s.exe.5d64629.5.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xb184:$x2: NanoCore.ClientPluginHost
    • 0xc25f:$s4: PipeCreated
    • 0xb19e:$s5: IClientLoggingHost
    0.2.G62PnhPS1s.exe.5d64629.5.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      0.2.G62PnhPS1s.exe.5d64629.5.raw.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
      • 0xb14f:$x2: NanoCore.ClientPlugin
      • 0xb184:$x3: NanoCore.ClientPluginHost
      • 0xb143:$i2: IClientData
      • 0xb165:$i3: IClientNetwork
      • 0xb174:$i5: IClientDataHost
      • 0xb19e:$i6: IClientLoggingHost
      • 0xb1b1:$i7: IClientNetworkHost
      • 0xb1c4:$i8: IClientUIHost
      • 0xb1d2:$i9: IClientNameObjectCollection
      • 0xb1ee:$i10: IClientReadOnlyNameObjectCollection
      • 0xaf41:$s1: ClientPlugin
      • 0xb158:$s1: ClientPlugin
      • 0x10179:$s6: get_ClientSettings
      0.2.G62PnhPS1s.exe.5d64629.5.raw.unpackWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
      • 0xb184:$a1: NanoCore.ClientPluginHost
      • 0xb14f:$a2: NanoCore.ClientPlugin
      • 0x100ca:$b1: get_BuilderSettings
      • 0x10039:$b7: LogClientException
      • 0xb19e:$b9: IClientLoggingHost
      Click to see the 40 entries

      AV Detection

      barindex
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\G62PnhPS1s.exe, ProcessId: 5512, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud

      barindex
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\G62PnhPS1s.exe, ProcessId: 5512, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Persistence and Installation Behavior

      barindex
      Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpF33C.tmp, CommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpF33C.tmp, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\G62PnhPS1s.exe, ParentImage: C:\Users\user\Desktop\G62PnhPS1s.exe, ParentProcessId: 5512, ParentProcessName: G62PnhPS1s.exe, ProcessCommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpF33C.tmp, ProcessId: 5552, ProcessName: schtasks.exe

      Stealing of Sensitive Information

      barindex
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\G62PnhPS1s.exe, ProcessId: 5512, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality

      barindex
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\G62PnhPS1s.exe, ProcessId: 5512, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Timestamp:192.168.2.4209.25.141.18049701277252025019 10/01/22-17:08:43.514254
      SID:2025019
      Source Port:49701
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049682277252816766 10/01/22-17:07:16.118415
      SID:2816766
      Source Port:49682
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049700277252025019 10/01/22-17:08:36.499125
      SID:2025019
      Source Port:49700
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049702277252025019 10/01/22-17:08:49.653446
      SID:2025019
      Source Port:49702
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049691277252816766 10/01/22-17:07:48.171991
      SID:2816766
      Source Port:49691
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049693277252816766 10/01/22-17:08:00.702896
      SID:2816766
      Source Port:49693
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049683277252816766 10/01/22-17:07:22.198867
      SID:2816766
      Source Port:49683
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049690277252816766 10/01/22-17:07:41.862031
      SID:2816766
      Source Port:49690
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049694277252816766 10/01/22-17:08:06.673277
      SID:2816766
      Source Port:49694
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049706277252025019 10/01/22-17:09:18.912433
      SID:2025019
      Source Port:49706
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049692277252816766 10/01/22-17:07:54.614534
      SID:2816766
      Source Port:49692
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049705277252025019 10/01/22-17:09:12.475195
      SID:2025019
      Source Port:49705
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049690277252025019 10/01/22-17:07:40.062280
      SID:2025019
      Source Port:49690
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049704277252025019 10/01/22-17:09:03.717769
      SID:2025019
      Source Port:49704
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049703277252025019 10/01/22-17:08:56.029202
      SID:2025019
      Source Port:49703
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049691277252025019 10/01/22-17:07:46.508056
      SID:2025019
      Source Port:49691
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049692277252025019 10/01/22-17:07:52.816553
      SID:2025019
      Source Port:49692
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049700277252816766 10/01/22-17:08:38.523559
      SID:2816766
      Source Port:49700
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049683277252025019 10/01/22-17:07:20.412264
      SID:2025019
      Source Port:49683
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049693277252025019 10/01/22-17:07:58.856083
      SID:2025019
      Source Port:49693
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049694277252025019 10/01/22-17:08:04.907694
      SID:2025019
      Source Port:49694
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049682277252025019 10/01/22-17:07:14.309819
      SID:2025019
      Source Port:49682
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049684277252025019 10/01/22-17:07:26.854755
      SID:2025019
      Source Port:49684
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049697277252816718 10/01/22-17:08:25.131746
      SID:2816718
      Source Port:49697
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049701277252816766 10/01/22-17:08:45.444375
      SID:2816766
      Source Port:49701
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049682277252816718 10/01/22-17:07:16.118415
      SID:2816718
      Source Port:49682
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049702277252816766 10/01/22-17:08:51.692619
      SID:2816766
      Source Port:49702
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049703277252816766 10/01/22-17:08:59.559197
      SID:2816766
      Source Port:49703
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049697277252025019 10/01/22-17:08:23.697702
      SID:2025019
      Source Port:49697
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049695277252025019 10/01/22-17:08:11.265098
      SID:2025019
      Source Port:49695
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049696277252025019 10/01/22-17:08:17.220015
      SID:2025019
      Source Port:49696
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049704277252816766 10/01/22-17:09:05.788694
      SID:2816766
      Source Port:49704
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049689277252816766 10/01/22-17:07:35.720837
      SID:2816766
      Source Port:49689
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049705277252816766 10/01/22-17:09:14.827870
      SID:2816766
      Source Port:49705
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049698277252816766 10/01/22-17:08:31.982437
      SID:2816766
      Source Port:49698
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049698277252025019 10/01/22-17:08:29.909653
      SID:2025019
      Source Port:49698
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049684277252816766 10/01/22-17:07:29.595955
      SID:2816766
      Source Port:49684
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049695277252816766 10/01/22-17:08:12.935261
      SID:2816766
      Source Port:49695
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049697277252816766 10/01/22-17:08:25.559661
      SID:2816766
      Source Port:49697
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049689277252025019 10/01/22-17:07:33.797666
      SID:2025019
      Source Port:49689
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4209.25.141.18049696277252816766 10/01/22-17:08:19.169513
      SID:2816766
      Source Port:49696
      Destination Port:27725
      Protocol:TCP
      Classtype:A Network Trojan was detected

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: G62PnhPS1s.exeReversingLabs: Detection: 84%
      Source: G62PnhPS1s.exeVirustotal: Detection: 50%Perma Link
      Source: G62PnhPS1s.exeAvira: detected
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeAvira: detection malicious, Label: HEUR/AGEN.1215957
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 84%
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 50%Perma Link
      Source: Yara matchFile source: 0.2.G62PnhPS1s.exe.5d64629.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.G62PnhPS1s.exe.5d60000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.G62PnhPS1s.exe.429eaac.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.G62PnhPS1s.exe.5d60000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.G62PnhPS1s.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.324622791.0000000000402000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: G62PnhPS1s.exe PID: 5512, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: G62PnhPS1s.exe PID: 5688, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5708, type: MEMORYSTR
      Source: G62PnhPS1s.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
      Source: 0.2.G62PnhPS1s.exe.5d60000.4.unpackAvira: Label: TR/NanoCore.fadte
      Source: 5.2.G62PnhPS1s.exe.432000.1.unpackAvira: Label: TR/Patched.Ren.Gen2
      Source: G62PnhPS1s.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
      Source: Binary string: 6C:\Windows\dll\mscorlib.pdb source: G62PnhPS1s.exe, 00000000.00000002.573067562.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Fc:\windows\symbols\dll\mscorlib.pdb2.&u source: G62PnhPS1s.exe, 00000000.00000002.573394469.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.configib.pdb118cY7 source: G62PnhPS1s.exe, 00000000.00000002.573394469.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: .C:\Windows\mscorlib.pdbpdb source: G62PnhPS1s.exe, 00000000.00000002.573067562.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: c:\windows\assembly\gac_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb5ffaY7 source: G62PnhPS1s.exe, 00000000.00000002.573394469.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: .C:\Windows\mscorlib.pdbpdb4 source: G62PnhPS1s.exe, 00000000.00000002.573067562.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: .c:\windows\mscorlib.pdbpdb source: G62PnhPS1s.exe, 00000000.00000002.573394469.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp

      Networking

      barindex
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49682 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49682 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.4:49682 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49683 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49683 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49684 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49684 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49689 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49689 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49690 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49690 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49691 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49691 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49692 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49692 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49693 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49693 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49694 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49694 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49695 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49695 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49696 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49696 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49697 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49697 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.4:49697 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49698 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49698 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49700 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49700 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49701 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49701 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49702 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49702 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49703 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49703 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49704 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49704 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49705 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49705 -> 209.25.141.180:27725
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49706 -> 209.25.141.180:27725
      Source: Joe Sandbox ViewASN Name: COGECO-PEER1CA COGECO-PEER1CA
      Source: Joe Sandbox ViewIP Address: 209.25.141.180 209.25.141.180
      Source: global trafficTCP traffic: 192.168.2.4:49682 -> 209.25.141.180:27725
      Source: G62PnhPS1s.exe, 00000005.00000002.324685861.0000000000432000.00000040.00000001.01000000.00000003.sdmp, dhcpmon.exe, 00000006.00000002.327616554.0000000000791000.00000040.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.enigmaprotector.com/
      Source: G62PnhPS1s.exe, 00000005.00000002.324685861.0000000000432000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.enigmaprotector.com/openU
      Source: unknownDNS traffic detected: queries for: cable-corporation.at.playit.gg
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 0_2_053B3242 WSARecv,
      Source: G62PnhPS1s.exe, 00000000.00000002.573067562.0000000000A0A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: G62PnhPS1s.exe, 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud

      barindex
      Source: Yara matchFile source: 0.2.G62PnhPS1s.exe.5d64629.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.G62PnhPS1s.exe.5d60000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.G62PnhPS1s.exe.429eaac.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.G62PnhPS1s.exe.5d60000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.G62PnhPS1s.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.324622791.0000000000402000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: G62PnhPS1s.exe PID: 5512, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: G62PnhPS1s.exe PID: 5688, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5708, type: MEMORYSTR

      System Summary

      barindex
      Source: 0.2.G62PnhPS1s.exe.5d64629.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.G62PnhPS1s.exe.5d64629.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.G62PnhPS1s.exe.5d64629.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 6.2.dhcpmon.exe.4219c76.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.dhcpmon.exe.4219c76.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.2.dhcpmon.exe.4219c76.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.G62PnhPS1s.exe.5ad0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.G62PnhPS1s.exe.5ad0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.G62PnhPS1s.exe.5ad0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 6.2.dhcpmon.exe.31f3ce4.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.dhcpmon.exe.31f3ce4.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.2.dhcpmon.exe.31f3ce4.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.G62PnhPS1s.exe.5d60000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.G62PnhPS1s.exe.5d60000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.G62PnhPS1s.exe.5d60000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.G62PnhPS1s.exe.5d60000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.G62PnhPS1s.exe.5d60000.4.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.G62PnhPS1s.exe.5d60000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 5.2.G62PnhPS1s.exe.3273ab0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 5.2.G62PnhPS1s.exe.3273ab0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 5.2.G62PnhPS1s.exe.3273ab0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 5.2.G62PnhPS1s.exe.42b7a80.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 5.2.G62PnhPS1s.exe.42b7a80.6.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 5.2.G62PnhPS1s.exe.42b7a80.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.G62PnhPS1s.exe.31d1784.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.G62PnhPS1s.exe.31d1784.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.G62PnhPS1s.exe.31d1784.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 5.2.G62PnhPS1s.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 5.2.G62PnhPS1s.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5.2.G62PnhPS1s.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000006.00000002.329734424.000000000422E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000000.00000002.579790309.0000000005AD0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.579790309.0000000005AD0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000000.00000002.579790309.0000000005AD0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000005.00000002.329900820.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000006.00000002.329633274.0000000004219000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000005.00000002.324622791.0000000000402000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000005.00000002.324622791.0000000000402000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000006.00000002.329073054.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000002.329073054.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000005.00000002.329067555.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000005.00000002.329067555.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000000.00000002.575419070.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: G62PnhPS1s.exe PID: 5512, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: G62PnhPS1s.exe PID: 5512, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: G62PnhPS1s.exe PID: 5688, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: G62PnhPS1s.exe PID: 5688, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: dhcpmon.exe PID: 5708, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 5708, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: G62PnhPS1s.exeStatic PE information: section name:
      Source: G62PnhPS1s.exeStatic PE information: section name:
      Source: G62PnhPS1s.exeStatic PE information: section name:
      Source: G62PnhPS1s.exeStatic PE information: section name:
      Source: dhcpmon.exe.0.drStatic PE information: section name:
      Source: dhcpmon.exe.0.drStatic PE information: section name:
      Source: dhcpmon.exe.0.drStatic PE information: section name:
      Source: dhcpmon.exe.0.drStatic PE information: section name:
      Source: G62PnhPS1s.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: G62PnhPS1s.exe, type: SAMPLEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
      Source: 0.2.G62PnhPS1s.exe.5d64629.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.G62PnhPS1s.exe.5d64629.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.G62PnhPS1s.exe.5d64629.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.G62PnhPS1s.exe.5d64629.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 6.2.dhcpmon.exe.4219c76.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.2.dhcpmon.exe.4219c76.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.2.dhcpmon.exe.4219c76.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.2.dhcpmon.exe.4219c76.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.G62PnhPS1s.exe.5ad0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.G62PnhPS1s.exe.5ad0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.G62PnhPS1s.exe.5ad0000.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.G62PnhPS1s.exe.5ad0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 6.2.dhcpmon.exe.31f3ce4.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.2.dhcpmon.exe.31f3ce4.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.2.dhcpmon.exe.31f3ce4.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.2.dhcpmon.exe.31f3ce4.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.G62PnhPS1s.exe.5d60000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.G62PnhPS1s.exe.5d60000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.G62PnhPS1s.exe.5d60000.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.G62PnhPS1s.exe.5d60000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.G62PnhPS1s.exe.5d60000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.G62PnhPS1s.exe.5d60000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.G62PnhPS1s.exe.5d60000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.G62PnhPS1s.exe.5d60000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 5.2.G62PnhPS1s.exe.3273ab0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.2.G62PnhPS1s.exe.3273ab0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.2.G62PnhPS1s.exe.3273ab0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 5.2.G62PnhPS1s.exe.3273ab0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 5.2.G62PnhPS1s.exe.42b7a80.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.2.G62PnhPS1s.exe.42b7a80.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.2.G62PnhPS1s.exe.42b7a80.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 5.2.G62PnhPS1s.exe.42b7a80.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.G62PnhPS1s.exe.31d1784.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.G62PnhPS1s.exe.31d1784.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.G62PnhPS1s.exe.31d1784.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.G62PnhPS1s.exe.31d1784.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.0.G62PnhPS1s.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
      Source: 5.2.G62PnhPS1s.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 5.2.G62PnhPS1s.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 5.2.G62PnhPS1s.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000006.00000002.329734424.000000000422E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000000.00000002.579790309.0000000005AD0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000000.00000002.579790309.0000000005AD0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000000.00000002.579790309.0000000005AD0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000000.00000002.579790309.0000000005AD0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000005.00000002.329900820.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000006.00000002.329633274.0000000004219000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000005.00000002.324622791.0000000000402000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000005.00000002.324622791.0000000000402000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000006.00000002.329073054.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000002.329073054.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000005.00000002.329067555.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000005.00000002.329067555.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000000.00000002.575419070.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: G62PnhPS1s.exe PID: 5512, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: G62PnhPS1s.exe PID: 5512, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: G62PnhPS1s.exe PID: 5688, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: G62PnhPS1s.exe PID: 5688, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: dhcpmon.exe PID: 5708, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 5708, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 0_2_02862478
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 0_2_02877ABF
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 0_2_053789D8
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 0_2_05373850
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 0_2_053723A0
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 0_2_05372FA8
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 0_2_0537B2A8
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 0_2_053795D8
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 0_2_0537306F
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 0_2_0537969F
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_00405242
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_004057C6
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_00405ACE
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_00405986
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_004430B6
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_029023A0
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_02902FA8
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_02903850
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_0290306F
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: String function: 00436264 appears 70 times
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 0_2_053B1BB2 NtQuerySystemInformation,
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 0_2_053B1B77 NtQuerySystemInformation,
      Source: G62PnhPS1s.exe, 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs G62PnhPS1s.exe
      Source: G62PnhPS1s.exe, 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs G62PnhPS1s.exe
      Source: G62PnhPS1s.exe, 00000000.00000002.573067562.0000000000A0A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs G62PnhPS1s.exe
      Source: G62PnhPS1s.exe, 00000000.00000002.578043243.0000000004227000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs G62PnhPS1s.exe
      Source: G62PnhPS1s.exe, 00000000.00000002.580084127.0000000005EC0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs G62PnhPS1s.exe
      Source: G62PnhPS1s.exe, 00000000.00000002.579790309.0000000005AD0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs G62PnhPS1s.exe
      Source: G62PnhPS1s.exe, 00000000.00000002.578057166.0000000004240000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs G62PnhPS1s.exe
      Source: G62PnhPS1s.exe, 00000000.00000002.575419070.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs G62PnhPS1s.exe
      Source: G62PnhPS1s.exe, 00000005.00000002.329785788.00000000042B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs G62PnhPS1s.exe
      Source: G62PnhPS1s.exe, 00000005.00000002.329977094.00000000042D0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs G62PnhPS1s.exe
      Source: G62PnhPS1s.exe, 00000005.00000002.329841701.00000000042BD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs G62PnhPS1s.exe
      Source: G62PnhPS1s.exe, 00000005.00000002.329067555.0000000003251000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs G62PnhPS1s.exe
      Source: G62PnhPS1s.exe, 00000005.00000002.329067555.0000000003251000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs G62PnhPS1s.exe
      Source: G62PnhPS1s.exeStatic PE information: Section: ZLIB complexity 0.9996004971590909
      Source: G62PnhPS1s.exeStatic PE information: Section: ZLIB complexity 1.0003995028409092
      Source: G62PnhPS1s.exeStatic PE information: Section: ZLIB complexity 1.021484375
      Source: G62PnhPS1s.exeStatic PE information: Section: .random ZLIB complexity 0.996978407058338
      Source: dhcpmon.exe.0.drStatic PE information: Section: ZLIB complexity 0.9996004971590909
      Source: dhcpmon.exe.0.drStatic PE information: Section: ZLIB complexity 1.0003995028409092
      Source: dhcpmon.exe.0.drStatic PE information: Section: ZLIB complexity 1.021484375
      Source: dhcpmon.exe.0.drStatic PE information: Section: .random ZLIB complexity 0.996978407058338
      Source: G62PnhPS1s.exeReversingLabs: Detection: 84%
      Source: G62PnhPS1s.exeVirustotal: Detection: 50%
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeFile read: C:\Users\user\Desktop\G62PnhPS1s.exeJump to behavior
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: unknownProcess created: C:\Users\user\Desktop\G62PnhPS1s.exe C:\Users\user\Desktop\G62PnhPS1s.exe
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpF33C.tmp
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpF531.tmp
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\G62PnhPS1s.exe C:\Users\user\Desktop\G62PnhPS1s.exe 0
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpF33C.tmp
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpF531.tmp
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 0_2_053B1972 AdjustTokenPrivileges,
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 0_2_053B193B AdjustTokenPrivileges,
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeFile created: C:\Users\user\AppData\Local\Temp\tmpF33C.tmpJump to behavior
      Source: classification engineClassification label: mal100.troj.evad.winEXE@10/8@20/2
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{a11f01f0-4c67-40a2-aa25-75584883ef2b}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5560:120:WilError_01
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5612:120:WilError_01
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
      Source: 5.2.G62PnhPS1s.exe.400000.0.unpack, u0040?2.csCryptographic APIs: 'CreateDecryptor'
      Source: 5.2.G62PnhPS1s.exe.400000.0.unpack, u0040?2.csCryptographic APIs: 'TransformFinalBlock'
      Source: 5.2.G62PnhPS1s.exe.400000.0.unpack, u0040?2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
      Source: G62PnhPS1s.exeStatic file information: File size 1246208 > 1048576
      Source: Binary string: 6C:\Windows\dll\mscorlib.pdb source: G62PnhPS1s.exe, 00000000.00000002.573067562.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Fc:\windows\symbols\dll\mscorlib.pdb2.&u source: G62PnhPS1s.exe, 00000000.00000002.573394469.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.configib.pdb118cY7 source: G62PnhPS1s.exe, 00000000.00000002.573394469.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: .C:\Windows\mscorlib.pdbpdb source: G62PnhPS1s.exe, 00000000.00000002.573067562.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: c:\windows\assembly\gac_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb5ffaY7 source: G62PnhPS1s.exe, 00000000.00000002.573394469.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: .C:\Windows\mscorlib.pdbpdb4 source: G62PnhPS1s.exe, 00000000.00000002.573067562.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: .c:\windows\mscorlib.pdbpdb source: G62PnhPS1s.exe, 00000000.00000002.573394469.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp

      Data Obfuscation

      barindex
      Source: 5.2.G62PnhPS1s.exe.400000.0.unpack, u0040?2.cs.Net Code: @? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 5.2.G62PnhPS1s.exe.400000.0.unpack, u0040?2.cs.Net Code: @? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 0_2_02879D73 pushad ; retf
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_00406051 push es; retn 0000h
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_00406C04 push es; ret
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_004057C6 push es; retn 0000h
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_00405ACE push es; retn 0000h
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_00405986 push es; retn 0000h
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_0044E104 push ecx; mov dword ptr [esp], edx
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_0045219C push ecx; mov dword ptr [esp], edx
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_0044228C push 004426D8h; ret
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_0044E32C push ecx; mov dword ptr [esp], edx
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_0043A3EA push 0043A418h; ret
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_0044B3A0 push 0044B400h; ret
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_0044E448 push ecx; mov dword ptr [esp], edx
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_0044C454 push 0044C4A1h; ret
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_0043A45C push 0043A488h; ret
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_0045840C push ecx; mov dword ptr [esp], edx
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_0043A424 push 0043A450h; ret
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_0043A4F8 push 0043A52Ch; ret
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_0044E48C push ecx; mov dword ptr [esp], edx
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_0043A494 push 0043A4C0h; ret
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_0045054C push ecx; mov dword ptr [esp], edx
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_0044A536 push 0044A5B5h; ret
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_004385F0 push 00438641h; ret
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_0044962C push 004496A2h; ret
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_004426DA push 0044274Bh; ret
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_0044B684 push ecx; mov dword ptr [esp], ecx
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_004496A4 push 0044974Ch; ret
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_00449760 push 0044979Ch; ret
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_0044285E push 0044288Ch; ret
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_0044A804 push 0044A830h; ret
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 5_2_0044B8F4 push ecx; mov dword ptr [esp], ecx
      Source: G62PnhPS1s.exeStatic PE information: section name:
      Source: G62PnhPS1s.exeStatic PE information: section name:
      Source: G62PnhPS1s.exeStatic PE information: section name:
      Source: G62PnhPS1s.exeStatic PE information: section name:
      Source: G62PnhPS1s.exeStatic PE information: section name: .random
      Source: dhcpmon.exe.0.drStatic PE information: section name:
      Source: dhcpmon.exe.0.drStatic PE information: section name:
      Source: dhcpmon.exe.0.drStatic PE information: section name:
      Source: dhcpmon.exe.0.drStatic PE information: section name:
      Source: dhcpmon.exe.0.drStatic PE information: section name: .random
      Source: initial sampleStatic PE information: section name: entropy: 7.996241313774297
      Source: initial sampleStatic PE information: section name: entropy: 7.9977165676251
      Source: initial sampleStatic PE information: section name: entropy: 7.310216660215987
      Source: initial sampleStatic PE information: section name: .random entropy: 7.984769720522192
      Source: initial sampleStatic PE information: section name: entropy: 7.996241313774297
      Source: initial sampleStatic PE information: section name: entropy: 7.9977165676251
      Source: initial sampleStatic PE information: section name: entropy: 7.310216660215987
      Source: initial sampleStatic PE information: section name: .random entropy: 7.984769720522192
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

      Boot Survival

      barindex
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpF33C.tmp

      Hooking and other Techniques for Hiding and Protection

      barindex
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeFile opened: C:\Users\user\Desktop\G62PnhPS1s.exe:Zone.Identifier read attributes | delete
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\G62PnhPS1s.exe TID: 5532Thread sleep time: -32000s >= -30000s
      Source: C:\Users\user\Desktop\G62PnhPS1s.exe TID: 5652Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\G62PnhPS1s.exe TID: 5648Thread sleep time: -620000s >= -30000s
      Source: C:\Users\user\Desktop\G62PnhPS1s.exe TID: 5692Thread sleep count: 226 > 30
      Source: C:\Users\user\Desktop\G62PnhPS1s.exe TID: 5736Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5712Thread sleep count: 364 > 30
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5752Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5820Thread sleep count: 1090 > 30
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5856Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeWindow / User API: threadDelayed 995
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeWindow / User API: foregroundWindowGot 1049
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeWindow / User API: threadDelayed 364
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeWindow / User API: threadDelayed 1090
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 0_2_053B169A GetSystemInfo,
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: G62PnhPS1s.exe, 00000005.00000002.324685861.0000000000432000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VBoxService.exe
      Source: dhcpmon.exe, 00000006.00000002.325388305.0000000000591000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: ~VirtualMachineTypes
      Source: G62PnhPS1s.exe, 00000000.00000002.573728418.0000000000A89000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: dhcpmon.exe, 00000006.00000002.325388305.0000000000591000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: ]DLL_Loader_VirtualMachine
      Source: G62PnhPS1s.exe, 00000005.00000002.324685861.0000000000432000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VMWare
      Source: dhcpmon.exe, 00000006.00000002.325388305.0000000000591000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
      Source: G62PnhPS1s.exe, 00000005.00000002.324685861.0000000000432000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: &VBoxService.exe
      Source: G62PnhPS1s.exe, 00000000.00000002.573728418.0000000000A89000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

      Anti Debugging

      barindex
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeThread information set: HideFromDebugger
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread information set: HideFromDebugger
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread information set: HideFromDebugger
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread information set: HideFromDebugger
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeOpen window title or class name: ollydbg
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess token adjusted: Debug
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile opened: SIWDEBUG
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile opened: NTICE
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile opened: SICE
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeMemory allocated: page read and write | page guard
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpF33C.tmp
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpF531.tmp
      Source: G62PnhPS1s.exe, 00000000.00000002.577634870.0000000003408000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerH
      Source: G62PnhPS1s.exe, 00000000.00000002.577634870.0000000003408000.00000004.00000800.00020000.00000000.sdmp, G62PnhPS1s.exe, 00000000.00000002.576203045.000000000327E000.00000004.00000800.00020000.00000000.sdmp, G62PnhPS1s.exe, 00000000.00000002.577769543.0000000003429000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
      Source: G62PnhPS1s.exe, 00000000.00000002.573728418.0000000000A89000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerlement, System.WorkflowServices, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
      Source: G62PnhPS1s.exe, 00000000.00000002.575731834.0000000003214000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managerr
      Source: G62PnhPS1s.exe, 00000000.00000002.576203045.000000000327E000.00000004.00000800.00020000.00000000.sdmp, G62PnhPS1s.exe, 00000000.00000002.577769543.0000000003429000.00000004.00000800.00020000.00000000.sdmp, G62PnhPS1s.exe, 00000000.00000002.575997920.000000000324E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager[
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Stealing of Sensitive Information

      barindex
      Source: Yara matchFile source: 0.2.G62PnhPS1s.exe.5d64629.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.G62PnhPS1s.exe.5d60000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.G62PnhPS1s.exe.429eaac.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.G62PnhPS1s.exe.5d60000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.G62PnhPS1s.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.324622791.0000000000402000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: G62PnhPS1s.exe PID: 5512, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: G62PnhPS1s.exe PID: 5688, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5708, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Source: G62PnhPS1s.exe, 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: G62PnhPS1s.exe, 00000000.00000002.579790309.0000000005AD0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: G62PnhPS1s.exe, 00000000.00000002.579790309.0000000005AD0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: G62PnhPS1s.exe, 00000000.00000002.575419070.00000000031C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: G62PnhPS1s.exe, 00000000.00000002.575419070.00000000031C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: G62PnhPS1s.exeString found in binary or memory: NanoCore.ClientPluginHost
      Source: G62PnhPS1s.exe, 00000005.00000002.329900820.00000000042C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: G62PnhPS1s.exe, 00000005.00000002.329900820.00000000042C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HApplicationBaseMicrosoft.VisualBasic.ApplicationServicesUserConversionsMicrosoft.VisualBasic.CompilerServicesObjectFlowControlOperatorsProjectDataStandardModuleAttributeComputerMicrosoft.VisualBasic.DevicesHideModuleNameAttributeMyGroupCollectionAttributeContextValue`1Microsoft.VisualBasic.MyServices.InternalClientInvokeDelegateNanoCoreIClientDataNanoCore.ClientPluginIClientNetworkIClientDataHostNanoCore.ClientPluginHostIClientLoggingHostIClientNetworkHostIClientUIHostIClientNameObjectCollectionIClientReadOnlyNameObjectCollectionActivatorAppDomainArgumentOutOfRangeExceptionArrayAsyncCallbackBitConverterBooleanBufferByteCharCLSCompliantAttributeGeneratedCodeAttributeSystem.CodeDom.CompilerDictionary`2System.Collections.GenericEnumeratorIEnumerable`1KeyValuePair`2List`1IEnumeratorSystem.CollectionsEditorBrowsableAttributeSystem.ComponentModelEditorBrowsableStateApplicationSettingsBaseSystem.ConfigurationSettingsBaseDateTimeDateTimeKindDelegateDebuggerDisplayAttributeSystem.DiagnosticsDebuggerHiddenAttributeDebuggerNonUserCodeAttributeDebuggerStepThroughAttributeProcessStackFrameStackTraceDoubleEnumEnvironmentExceptionCultureInfoSystem.GlobalizationIAsyncResultIDisposableInt16Int32Int64IntPtrBinaryReaderSystem.IOBinaryWriterDirectoryDirectoryInfoEndOfStreamExceptionFileFileAccessFileInfoFileModeFileStreamFileSystemInfoMemoryStreamPathStreamStringReaderMathMulticastDelegateObjectAssemblySystem.ReflectionAssemblyCompanyAttributeAssemblyCopyrightAttributeAssemblyDescriptionAttributeAssemblyFileVersionAttributeAssemblyNameAssemblyProductAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeDefaultMemberAttributeMemberInfoMethodBaseResolveEventArgsResolveEventHandlerResourceManagerSystem.ResourcesCompilationRelaxationsAttributeSystem.Runtime.CompilerServicesCompilerGeneratedAttributeRuntimeCompatibilityAttributeRuntimeHelpersSuppressIldasmAttributeComVisibleAttributeSystem.Runtime.InteropServicesGuidAttributeMarshalRuntimeEnvironmentRuntimeMethodHandleRuntimeTypeHandleSuppressUnmanagedCodeSecurityAttributeSystem.SecurityStringStringSplitOptionsEncodingSystem.TextCaptureSystem.Text.RegularExpressionsGroupGroupCollectionMatchMatchCollectionRegexStringBuilderMonitorSystem.ThreadingThreadThreadPoolTimerTimerCallbackWaitCallbackTimeSpanTypeUInt16UInt32UInt64UriUriKindValueTypeVoidClipboardCreateParamsKeysMessageNativeWindow<Module>#=q$SxR33u2B2QKyvTy6OUx3VUEnsU1BBIwrFbNm_dTmvc=#=q1WnXnf5Kn3oZdelfZ9atXg==#=q4Jhplum5EMsDzltMg_L_tgoPjr8zzldX6k5uL$T8QHU=#=qaeAZ85IK9icf1hoO$eIUgQ==#=qbDWEs19y0rXNZJloHjyEAXFFSfYqbb6nrn10YnV15GU=#=qgHfmPA2gNKnydwzqeSF_2nVCUjp4Sfb3eJfQd$j975A=#=q3$4$aeeKw0G6KJpmbsHtCSC3$LdCNMfTzWNTjLVfIoU=#=qwJ4w0jkRVthW3ex8w5dly$cWay1Am4JSh9ZTwaXqcz4=#=qZDfXudm0$xsDWCHGELpd5JJQykxvZE2iCT02xHzYWZs=#=qBUViwm1Wzov4U2EcqfWHEYm9yRhCdBkuxxjXALmkpzo=#=qps$_CRy8QN3tD8_cpxbl5Q==#=qeoqI9zQPLOZjV1JthHFzOD41rl7NT5wwztozAPfluxU=#=qfisk2$Joqzyumzd6fh2dOQ==#=qjw6ERKjxRJyhmlKKhTbkm3qZjjnDTqlES7REqNxqUOg=#=qm8f9k1aXVtORA4naJCkxW5anSegBcHo_NtygLkyg$zI=#=qG3u5K_RN
      Source: G62PnhPS1s.exe, 00000005.00000002.324622791.0000000000402000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: G62PnhPS1s.exe, 00000005.00000002.329067555.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: G62PnhPS1s.exe, 00000005.00000002.329067555.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: dhcpmon.exe, 00000006.00000002.329734424.000000000422E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 00000006.00000002.329734424.000000000422E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HApplicationBaseMicrosoft.VisualBasic.ApplicationServicesUserConversionsMicrosoft.VisualBasic.CompilerServicesObjectFlowControlOperatorsProjectDataStandardModuleAttributeComputerMicrosoft.VisualBasic.DevicesHideModuleNameAttributeMyGroupCollectionAttributeContextValue`1Microsoft.VisualBasic.MyServices.InternalClientInvokeDelegateNanoCoreIClientDataNanoCore.ClientPluginIClientNetworkIClientDataHostNanoCore.ClientPluginHostIClientLoggingHostIClientNetworkHostIClientUIHostIClientNameObjectCollectionIClientReadOnlyNameObjectCollectionActivatorAppDomainArgumentOutOfRangeExceptionArrayAsyncCallbackBitConverterBooleanBufferByteCharCLSCompliantAttributeGeneratedCodeAttributeSystem.CodeDom.CompilerDictionary`2System.Collections.GenericEnumeratorIEnumerable`1KeyValuePair`2List`1IEnumeratorSystem.CollectionsEditorBrowsableAttributeSystem.ComponentModelEditorBrowsableStateApplicationSettingsBaseSystem.ConfigurationSettingsBaseDateTimeDateTimeKindDelegateDebuggerDisplayAttributeSystem.DiagnosticsDebuggerHiddenAttributeDebuggerNonUserCodeAttributeDebuggerStepThroughAttributeProcessStackFrameStackTraceDoubleEnumEnvironmentExceptionCultureInfoSystem.GlobalizationIAsyncResultIDisposableInt16Int32Int64IntPtrBinaryReaderSystem.IOBinaryWriterDirectoryDirectoryInfoEndOfStreamExceptionFileFileAccessFileInfoFileModeFileStreamFileSystemInfoMemoryStreamPathStreamStringReaderMathMulticastDelegateObjectAssemblySystem.ReflectionAssemblyCompanyAttributeAssemblyCopyrightAttributeAssemblyDescriptionAttributeAssemblyFileVersionAttributeAssemblyNameAssemblyProductAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeDefaultMemberAttributeMemberInfoMethodBaseResolveEventArgsResolveEventHandlerResourceManagerSystem.ResourcesCompilationRelaxationsAttributeSystem.Runtime.CompilerServicesCompilerGeneratedAttributeRuntimeCompatibilityAttributeRuntimeHelpersSuppressIldasmAttributeComVisibleAttributeSystem.Runtime.InteropServicesGuidAttributeMarshalRuntimeEnvironmentRuntimeMethodHandleRuntimeTypeHandleSuppressUnmanagedCodeSecurityAttributeSystem.SecurityStringStringSplitOptionsEncodingSystem.TextCaptureSystem.Text.RegularExpressionsGroupGroupCollectionMatchMatchCollectionRegexStringBuilderMonitorSystem.ThreadingThreadThreadPoolTimerTimerCallbackWaitCallbackTimeSpanTypeUInt16UInt32UInt64UriUriKindValueTypeVoidClipboardCreateParamsKeysMessageNativeWindow<Module>#=q$SxR33u2B2QKyvTy6OUx3VUEnsU1BBIwrFbNm_dTmvc=#=q1WnXnf5Kn3oZdelfZ9atXg==#=q4Jhplum5EMsDzltMg_L_tgoPjr8zzldX6k5uL$T8QHU=#=qaeAZ85IK9icf1hoO$eIUgQ==#=qbDWEs19y0rXNZJloHjyEAXFFSfYqbb6nrn10YnV15GU=#=qgHfmPA2gNKnydwzqeSF_2nVCUjp4Sfb3eJfQd$j975A=#=q3$4$aeeKw0G6KJpmbsHtCSC3$LdCNMfTzWNTjLVfIoU=#=qwJ4w0jkRVthW3ex8w5dly$cWay1Am4JSh9ZTwaXqcz4=#=qZDfXudm0$xsDWCHGELpd5JJQykxvZE2iCT02xHzYWZs=#=qBUViwm1Wzov4U2EcqfWHEYm9yRhCdBkuxxjXALmkpzo=#=qps$_CRy8QN3tD8_cpxbl5Q==#=qeoqI9zQPLOZjV1JthHFzOD41rl7NT5wwztozAPfluxU=#=qfisk2$Joqzyumzd6fh2dOQ==#=qjw6ERKjxRJyhmlKKhTbkm3qZjjnDTqlES7REqNxqUOg=#=qm8f9k1aXVtORA4naJCkxW5anSegBcHo_NtygLkyg$zI=#=qG3u5K_RN
      Source: dhcpmon.exe, 00000006.00000002.329633274.0000000004219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 00000006.00000002.329633274.0000000004219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: dhcpmon.exe, 00000006.00000002.329073054.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 00000006.00000002.329073054.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: Yara matchFile source: 0.2.G62PnhPS1s.exe.5d64629.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.G62PnhPS1s.exe.5d60000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.G62PnhPS1s.exe.429eaac.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.G62PnhPS1s.exe.5d60000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.G62PnhPS1s.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.324622791.0000000000402000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: G62PnhPS1s.exe PID: 5512, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: G62PnhPS1s.exe PID: 5688, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5708, type: MEMORYSTR
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 0_2_053B2D86 bind,
      Source: C:\Users\user\Desktop\G62PnhPS1s.exeCode function: 0_2_053B2D34 bind,
      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts1
      Scheduled Task/Job
      1
      Scheduled Task/Job
      1
      Access Token Manipulation
      2
      Masquerading
      21
      Input Capture
      311
      Security Software Discovery
      Remote Services21
      Input Capture
      Exfiltration Over Other Network Medium1
      Encrypted Channel
      Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts12
      Process Injection
      1
      Disable or Modify Tools
      LSASS Memory2
      Process Discovery
      Remote Desktop Protocol11
      Archive Collected Data
      Exfiltration Over Bluetooth1
      Non-Standard Port
      Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)1
      Scheduled Task/Job
      231
      Virtualization/Sandbox Evasion
      Security Account Manager231
      Virtualization/Sandbox Evasion
      SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
      Remote Access Software
      Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
      Access Token Manipulation
      NTDS1
      Application Window Discovery
      Distributed Component Object ModelInput CaptureScheduled Transfer1
      Ingress Tool Transfer
      SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script12
      Process Injection
      LSA Secrets3
      System Information Discovery
      SSHKeyloggingData Transfer Size Limits1
      Non-Application Layer Protocol
      Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.common11
      Deobfuscate/Decode Files or Information
      Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 Channel1
      Application Layer Protocol
      Jamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
      Hidden Files and Directories
      DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job3
      Obfuscated Files or Information
      Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)13
      Software Packing
      /etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 714139 Sample: G62PnhPS1s.exe Startdate: 01/10/2022 Architecture: WINDOWS Score: 100 37 cable-corporation.at.playit.gg 2->37 43 Snort IDS alert for network traffic 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for dropped file 2->47 49 12 other signatures 2->49 8 G62PnhPS1s.exe 1 14 2->8         started        13 G62PnhPS1s.exe 3 2->13         started        15 dhcpmon.exe 2 2->15         started        17 dhcpmon.exe 3 2->17         started        signatures3 process4 dnsIp5 39 cable-corporation.at.playit.gg 209.25.141.180, 27725, 49682, 49683 COGECO-PEER1CA Canada 8->39 41 192.168.2.1 unknown unknown 8->41 27 C:\Program Files (x86)\...\dhcpmon.exe, PE32 8->27 dropped 29 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 8->29 dropped 31 C:\Users\user\AppData\Local\...\tmpF33C.tmp, XML 8->31 dropped 33 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 8->33 dropped 51 Uses schtasks.exe or at.exe to add and modify task schedules 8->51 53 Hides threads from debuggers 8->53 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->55 19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 8->21         started        35 C:\Users\user\AppData\...behaviorgraph62PnhPS1s.exe.log, ASCII 13->35 dropped file6 signatures7 process8 process9 23 conhost.exe 19->23         started        25 conhost.exe 21->25         started       

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      G62PnhPS1s.exe85%ReversingLabsWin32.Backdoor.NanoCore
      G62PnhPS1s.exe51%VirustotalBrowse
      G62PnhPS1s.exe100%AviraHEUR/AGEN.1215957
      G62PnhPS1s.exe100%Joe Sandbox ML
      SourceDetectionScannerLabelLink
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%AviraHEUR/AGEN.1215957
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe85%ReversingLabsWin32.Backdoor.NanoCore
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe51%VirustotalBrowse
      SourceDetectionScannerLabelLinkDownload
      0.0.G62PnhPS1s.exe.400000.0.unpack100%AviraHEUR/AGEN.1215901Download File
      0.2.G62PnhPS1s.exe.5d60000.4.unpack100%AviraTR/NanoCore.fadteDownload File
      5.2.G62PnhPS1s.exe.432000.1.unpack100%AviraTR/Patched.Ren.Gen2Download File
      5.2.G62PnhPS1s.exe.400000.0.unpack100%AviraHEUR/AGEN.1208316Download File
      SourceDetectionScannerLabelLink
      cable-corporation.at.playit.gg5%VirustotalBrowse
      SourceDetectionScannerLabelLink
      http://www.enigmaprotector.com/0%URL Reputationsafe
      http://www.enigmaprotector.com/openU0%URL Reputationsafe
      NameIPActiveMaliciousAntivirus DetectionReputation
      cable-corporation.at.playit.gg
      209.25.141.180
      truetrueunknown
      NameSourceMaliciousAntivirus DetectionReputation
      http://www.enigmaprotector.com/G62PnhPS1s.exe, 00000005.00000002.324685861.0000000000432000.00000040.00000001.01000000.00000003.sdmp, dhcpmon.exe, 00000006.00000002.327616554.0000000000791000.00000040.00000001.01000000.00000005.sdmpfalse
      • URL Reputation: safe
      unknown
      http://www.enigmaprotector.com/openUG62PnhPS1s.exe, 00000005.00000002.324685861.0000000000432000.00000040.00000001.01000000.00000003.sdmpfalse
      • URL Reputation: safe
      unknown
      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs
      IPDomainCountryFlagASNASN NameMalicious
      209.25.141.180
      cable-corporation.at.playit.ggCanada
      13768COGECO-PEER1CAtrue
      IP
      192.168.2.1
      Joe Sandbox Version:36.0.0 Rainbow Opal
      Analysis ID:714139
      Start date and time:2022-10-01 17:06:16 +02:00
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 9m 16s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:G62PnhPS1s.exe
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:13
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal100.troj.evad.winEXE@10/8@20/2
      EGA Information:
      • Successful, ratio: 100%
      HDC Information:
      • Successful, ratio: 53.2% (good quality ratio 52.7%)
      • Quality average: 79.4%
      • Quality standard deviation: 25.8%
      HCA Information:
      • Successful, ratio: 65%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
      • TCP Packets have been reduced to 100
      • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
      • Not all processes where analyzed, report is missing behavior information
      • Report creation exceeded maximum time and may have missing disassembly code information.
      • Report size exceeded maximum capacity and may have missing behavior information.
      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
      • Report size getting too big, too many NtDeviceIoControlFile calls found.
      • Report size getting too big, too many NtProtectVirtualMemory calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      TimeTypeDescription
      17:07:13API Interceptor897x Sleep call for process: G62PnhPS1s.exe modified
      17:07:14Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\G62PnhPS1s.exe" s>$(Arg0)
      17:07:14Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
      17:07:16AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      No context
      No context
      No context
      No context
      No context
      Process:C:\Users\user\Desktop\G62PnhPS1s.exe
      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):1246208
      Entropy (8bit):7.990780186599993
      Encrypted:true
      SSDEEP:24576:wUelzt/bfQ8OBromXFprxo3FFkBuK/qI/nJi6CYyHFBgsnfLum9My3o54TRM+:4xUC8FU3XkBuAdfsYybggfL/Gx
      MD5:07653FD9F64401F9F1696F4782C926F4
      SHA1:AED898C8D28306AA28785004252B81144BB73676
      SHA-256:34915A0EDED4E59CFD552AE7724E99584EC58F24B8A562FD90AA6DCB9397A019
      SHA-512:96178C05A5F78F3C132E9634957194C4D90BDE07413FFD086DE05AD3B638188132C40F84112949AB31818FFBB578980F99A938990846EC70061D5513732894F0
      Malicious:true
      Yara Hits:
      • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
      Antivirus:
      • Antivirus: Avira, Detection: 100%
      • Antivirus: Joe Sandbox ML, Detection: 100%
      • Antivirus: ReversingLabs, Detection: 85%
      • Antivirus: Virustotal, Detection: 51%, Browse
      Reputation:low
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.................H...b......<.... ........@.. .......................@9............................................. .+.........X.....................+..............................................................................................`... ......................@............`.......`..................@............ ..........................@....rsrc.... ..........................@.............'.. ......................@....random..@....+..2..................@...........................................$...o(..6./}..........................................................................................................................................................................................................................................................................................................................................
      Process:C:\Users\user\Desktop\G62PnhPS1s.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):26
      Entropy (8bit):3.95006375643621
      Encrypted:false
      SSDEEP:3:ggPYV:rPYV
      MD5:187F488E27DB4AF347237FE461A079AD
      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
      Malicious:true
      Reputation:high, very likely benign file
      Preview:[ZoneTransfer]....ZoneId=0
      Process:C:\Users\user\Desktop\G62PnhPS1s.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):525
      Entropy (8bit):5.2874233355119316
      Encrypted:false
      SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
      MD5:61CCF53571C9ABA6511D696CB0D32E45
      SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
      SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
      SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
      Malicious:true
      Reputation:high, very likely benign file
      Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
      Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):525
      Entropy (8bit):5.2874233355119316
      Encrypted:false
      SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
      MD5:61CCF53571C9ABA6511D696CB0D32E45
      SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
      SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
      SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
      Malicious:false
      Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
      Process:C:\Users\user\Desktop\G62PnhPS1s.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):1300
      Entropy (8bit):5.107533892792601
      Encrypted:false
      SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Yayxtn:cbk4oL600QydbQxIYODOLedq3Bj
      MD5:B0B51A62FC7A6CAAF2D3035423C0CD81
      SHA1:818AC6EB9B12FE5C4832855B88F1CFEA973EC944
      SHA-256:FE02E823C955C7E5A8917B34695129A5EEB33B2254ECEA586B8D425AF0AF569F
      SHA-512:53465207ED52E68CC3BBC095EE9FB075E97B2DE7A50935705C84E1B1CF4523F01F93983278D5B59CB2C81C2935F67E545698A073D9D4CAA6C02237DCC6C5D4C6
      Malicious:true
      Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
      Process:C:\Users\user\Desktop\G62PnhPS1s.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:modified
      Size (bytes):1310
      Entropy (8bit):5.109425792877704
      Encrypted:false
      SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
      MD5:5C2F41CFC6F988C859DA7D727AC2B62A
      SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
      SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
      SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
      Malicious:false
      Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
      Process:C:\Users\user\Desktop\G62PnhPS1s.exe
      File Type:Non-ISO extended-ASCII text, with no line terminators
      Category:dropped
      Size (bytes):8
      Entropy (8bit):3.0
      Encrypted:false
      SSDEEP:3:Zqbwn:4cn
      MD5:A0B8F4FC2F080D11563C79396A5EF9FE
      SHA1:1D0AB1B41755B425DC2E4F16EA88D3F493762728
      SHA-256:993554FFED3627C4467DDE6B9F8088D2A3226D16296336A7A60C98037EB18CFA
      SHA-512:742E47CDCC74751550786DB6F9A949F5CD99C1AE5F0843CEF319A8734079EA82BC0DA631458FFAAF9BA5479BC4E59C254DC25BF552FBFFBF606CB48CAFFDCAEE
      Malicious:true
      Preview:.Y....H
      Process:C:\Users\user\Desktop\G62PnhPS1s.exe
      File Type:ASCII text, with no line terminators
      Category:dropped
      Size (bytes):37
      Entropy (8bit):4.203526853497231
      Encrypted:false
      SSDEEP:3:oNt+WfWib1r6Jn:oNwvib1E
      MD5:351D2E4CAAA1B21ED424549F35280788
      SHA1:9CD0BAC3AA328B8D4BA1F490F47A17BF830D01DC
      SHA-256:25767F6D2FE5F40CA47BA2402045F95303DC0C7B2263F3D0A3D16F1CDEF3568D
      SHA-512:DFEB62070C9300513EFCBDCB36F01C426FD1E8000865B53F101DA0F9927E1A476E85DA6605714AE8A7C0A849A2750F384DA3AF5E46E531351F7AD3D995450BD6
      Malicious:false
      Preview:C:\Users\user\Desktop\G62PnhPS1s.exe
      File type:PE32 executable (GUI) Intel 80386, for MS Windows
      Entropy (8bit):7.990780186599993
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.94%
      • Win16/32 Executable Delphi generic (2074/23) 0.02%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • VXD Driver (31/22) 0.00%
      File name:G62PnhPS1s.exe
      File size:1246208
      MD5:07653fd9f64401f9f1696f4782c926f4
      SHA1:aed898c8d28306aa28785004252b81144bb73676
      SHA256:34915a0eded4e59cfd552ae7724e99584ec58f24b8a562fd90aa6dcb9397a019
      SHA512:96178c05a5f78f3c132e9634957194c4d90bde07413ffd086de05ad3b638188132c40f84112949ab31818ffbb578980f99a938990846ec70061d5513732894f0
      SSDEEP:24576:wUelzt/bfQ8OBromXFprxo3FFkBuK/qI/nJi6CYyHFBgsnfLum9My3o54TRM+:4xUC8FU3XkBuAdfsYybggfL/Gx
      TLSH:D44533D46D10EEE5E190743043DEDE596A5DA0B40E4A481ED9BDB02BE3FE12CC345BB8
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.................H...b......<.... ........@.. .......................@9............................................
      Icon Hash:00828e8e8686b000
      Entrypoint:0x40b23c
      Entrypoint Section:
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
      DLL Characteristics:
      Time Stamp:0x54E927A1 [Sun Feb 22 00:49:37 2015 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:2e5467cba76f44a088d39f78c5e807b6
      Instruction
      call 00007F7668FF7026h
      jmp 00007F7668FF6E3Eh
      push 0044BB60h
      push dword ptr fs:[00000000h]
      mov eax, dword ptr [esp+10h]
      mov dword ptr [esp+10h], ebp
      lea ebp, dword ptr [esp+10h]
      sub esp, eax
      push ebx
      push esi
      push edi
      mov eax, dword ptr [00466ECCh]
      xor dword ptr [ebp-04h], eax
      xor eax, ebp
      push eax
      mov dword ptr [ebp-18h], esp
      push dword ptr [ebp-08h]
      mov eax, dword ptr [ebp-04h]
      mov dword ptr [ebp-04h], FFFFFFFEh
      mov dword ptr [ebp-08h], eax
      lea eax, dword ptr [ebp-10h]
      mov dword ptr fs:[00000000h], eax
      ret
      mov ecx, dword ptr [ebp-10h]
      mov dword ptr fs:[00000000h], ecx
      pop ecx
      pop edi
      pop edi
      pop esi
      pop ebx
      mov esp, ebp
      pop ebp
      push ecx
      ret
      int3
      int3
      int3
      add esp, 04h
      jmp 00007F766937CEC3h
      or eax, F972054Dh
      lahf
      sti
      imul edi, dword ptr [ecx-31h], DA10A1DAh
      nop
      cld
      cdq
      dec ebp
      add byte ptr [ebp-1DBF528Eh], dl
      jmp dword ptr [edi+3Bh]
      and byte ptr [ecx-52h], cl
      and al, 9Bh
      mov seg?, word ptr [ecx+45h]
      scasd
      test al, 9Bh
      jecxz 00007F7668FF6FD0h
      sub eax, ebx
      mov dword ptr [00D449A0h], eax
      sub edx, dword ptr [esi+05B3BE87h]
      jc 00007F7668FF6F73h
      jnp 00007F7668FF6FB2h
      mov ebx, A172BFEFh
      dec esp
      int3
      lodsd
      iretd
      jecxz 00007F7668FF6F71h
      add al, D6h
      cmp al, 73h
      retf
      scasb
      stc
      mov ecx, dword ptr [edx]
      add al, 36h
      pop edi
      add byte ptr [esi-72h], al
      sub dword ptr [esi-58364CA0h], ebp
      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x2b00200x210.random
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x300000x58.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x2b00000xc.random
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
      0x20000x160000xb000False0.9996004971590909data7.996241313774297IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      0x180000x160000x16000False1.0003995028409092data7.9977165676251IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      0x2e0000x20000x200False1.021484375data7.310216660215987IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .rsrc0x300000x20000x200False0.09765625data0.3718787954394439IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      0x320000x27e0000x2ba00unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .random0x2b00000xe40000xe3200False0.996978407058338data7.984769720522192IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      NameRVASizeTypeLanguageCountry
      RT_RCDATA0x180580x15f68data
      DLLImport
      kernel32.dllGetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA
      user32.dllMessageBoxA
      advapi32.dllRegCloseKey
      oleaut32.dllSysFreeString
      gdi32.dllCreateFontA
      shell32.dllShellExecuteA
      version.dllGetFileVersionInfoA
      mscoree.dll_CorExeMain
      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
      192.168.2.4209.25.141.18049701277252025019 10/01/22-17:08:43.514254TCP2025019ET TROJAN Possible NanoCore C2 60B4970127725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049682277252816766 10/01/22-17:07:16.118415TCP2816766ETPRO TROJAN NanoCore RAT CnC 74968227725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049700277252025019 10/01/22-17:08:36.499125TCP2025019ET TROJAN Possible NanoCore C2 60B4970027725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049702277252025019 10/01/22-17:08:49.653446TCP2025019ET TROJAN Possible NanoCore C2 60B4970227725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049691277252816766 10/01/22-17:07:48.171991TCP2816766ETPRO TROJAN NanoCore RAT CnC 74969127725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049693277252816766 10/01/22-17:08:00.702896TCP2816766ETPRO TROJAN NanoCore RAT CnC 74969327725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049683277252816766 10/01/22-17:07:22.198867TCP2816766ETPRO TROJAN NanoCore RAT CnC 74968327725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049690277252816766 10/01/22-17:07:41.862031TCP2816766ETPRO TROJAN NanoCore RAT CnC 74969027725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049694277252816766 10/01/22-17:08:06.673277TCP2816766ETPRO TROJAN NanoCore RAT CnC 74969427725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049706277252025019 10/01/22-17:09:18.912433TCP2025019ET TROJAN Possible NanoCore C2 60B4970627725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049692277252816766 10/01/22-17:07:54.614534TCP2816766ETPRO TROJAN NanoCore RAT CnC 74969227725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049705277252025019 10/01/22-17:09:12.475195TCP2025019ET TROJAN Possible NanoCore C2 60B4970527725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049690277252025019 10/01/22-17:07:40.062280TCP2025019ET TROJAN Possible NanoCore C2 60B4969027725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049704277252025019 10/01/22-17:09:03.717769TCP2025019ET TROJAN Possible NanoCore C2 60B4970427725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049703277252025019 10/01/22-17:08:56.029202TCP2025019ET TROJAN Possible NanoCore C2 60B4970327725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049691277252025019 10/01/22-17:07:46.508056TCP2025019ET TROJAN Possible NanoCore C2 60B4969127725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049692277252025019 10/01/22-17:07:52.816553TCP2025019ET TROJAN Possible NanoCore C2 60B4969227725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049700277252816766 10/01/22-17:08:38.523559TCP2816766ETPRO TROJAN NanoCore RAT CnC 74970027725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049683277252025019 10/01/22-17:07:20.412264TCP2025019ET TROJAN Possible NanoCore C2 60B4968327725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049693277252025019 10/01/22-17:07:58.856083TCP2025019ET TROJAN Possible NanoCore C2 60B4969327725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049694277252025019 10/01/22-17:08:04.907694TCP2025019ET TROJAN Possible NanoCore C2 60B4969427725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049682277252025019 10/01/22-17:07:14.309819TCP2025019ET TROJAN Possible NanoCore C2 60B4968227725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049684277252025019 10/01/22-17:07:26.854755TCP2025019ET TROJAN Possible NanoCore C2 60B4968427725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049697277252816718 10/01/22-17:08:25.131746TCP2816718ETPRO TROJAN NanoCore RAT Keep-Alive Beacon4969727725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049701277252816766 10/01/22-17:08:45.444375TCP2816766ETPRO TROJAN NanoCore RAT CnC 74970127725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049682277252816718 10/01/22-17:07:16.118415TCP2816718ETPRO TROJAN NanoCore RAT Keep-Alive Beacon4968227725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049702277252816766 10/01/22-17:08:51.692619TCP2816766ETPRO TROJAN NanoCore RAT CnC 74970227725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049703277252816766 10/01/22-17:08:59.559197TCP2816766ETPRO TROJAN NanoCore RAT CnC 74970327725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049697277252025019 10/01/22-17:08:23.697702TCP2025019ET TROJAN Possible NanoCore C2 60B4969727725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049695277252025019 10/01/22-17:08:11.265098TCP2025019ET TROJAN Possible NanoCore C2 60B4969527725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049696277252025019 10/01/22-17:08:17.220015TCP2025019ET TROJAN Possible NanoCore C2 60B4969627725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049704277252816766 10/01/22-17:09:05.788694TCP2816766ETPRO TROJAN NanoCore RAT CnC 74970427725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049689277252816766 10/01/22-17:07:35.720837TCP2816766ETPRO TROJAN NanoCore RAT CnC 74968927725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049705277252816766 10/01/22-17:09:14.827870TCP2816766ETPRO TROJAN NanoCore RAT CnC 74970527725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049698277252816766 10/01/22-17:08:31.982437TCP2816766ETPRO TROJAN NanoCore RAT CnC 74969827725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049698277252025019 10/01/22-17:08:29.909653TCP2025019ET TROJAN Possible NanoCore C2 60B4969827725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049684277252816766 10/01/22-17:07:29.595955TCP2816766ETPRO TROJAN NanoCore RAT CnC 74968427725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049695277252816766 10/01/22-17:08:12.935261TCP2816766ETPRO TROJAN NanoCore RAT CnC 74969527725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049697277252816766 10/01/22-17:08:25.559661TCP2816766ETPRO TROJAN NanoCore RAT CnC 74969727725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049689277252025019 10/01/22-17:07:33.797666TCP2025019ET TROJAN Possible NanoCore C2 60B4968927725192.168.2.4209.25.141.180
      192.168.2.4209.25.141.18049696277252816766 10/01/22-17:08:19.169513TCP2816766ETPRO TROJAN NanoCore RAT CnC 74969627725192.168.2.4209.25.141.180
      TimestampSource PortDest PortSource IPDest IP
      Oct 1, 2022 17:07:14.197493076 CEST4968227725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:14.217550993 CEST2772549682209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:14.218364000 CEST4968227725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:14.309818983 CEST4968227725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:14.543385983 CEST4968227725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:14.853576899 CEST4968227725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:14.873800993 CEST2772549682209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:14.878578901 CEST4968227725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:14.977317095 CEST2772549682209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:15.015393972 CEST4968227725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:15.153048038 CEST2772549682209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:15.153136969 CEST4968227725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:15.290601015 CEST2772549682209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:15.290811062 CEST4968227725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:15.428347111 CEST2772549682209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:15.428497076 CEST4968227725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:15.568593025 CEST2772549682209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:15.568754911 CEST4968227725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:15.706176996 CEST2772549682209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:15.706270933 CEST4968227725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:15.843080997 CEST2772549682209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:15.843178034 CEST4968227725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:15.980525970 CEST2772549682209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:15.980670929 CEST4968227725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:16.118257999 CEST2772549682209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:16.118415117 CEST4968227725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:16.151878119 CEST4968227725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:20.390109062 CEST4968327725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:20.411134005 CEST2772549683209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:20.411254883 CEST4968327725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:20.412264109 CEST4968327725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:20.635322094 CEST4968327725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:20.947900057 CEST4968327725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:21.199137926 CEST2772549683209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:21.199316978 CEST4968327725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:21.287693024 CEST2772549683209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:21.557292938 CEST4968327725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:21.645483971 CEST2772549683209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:21.657002926 CEST4968327725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:21.787977934 CEST2772549683209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:21.788037062 CEST4968327725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:21.917632103 CEST2772549683209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:21.917865038 CEST4968327725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:22.046458006 CEST2772549683209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:22.046555996 CEST4968327725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:22.175045013 CEST2772549683209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:22.198867083 CEST4968327725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:22.327305079 CEST2772549683209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:22.407402039 CEST4968327725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:26.801925898 CEST4968427725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:26.823497057 CEST2772549684209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:26.823678017 CEST4968427725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:26.854754925 CEST4968427725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:27.245249987 CEST4968427725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:27.558032036 CEST4968427725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:27.683355093 CEST2772549684209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:28.247941017 CEST4968427725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:28.380733967 CEST2772549684209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:28.380919933 CEST4968427725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:28.513612986 CEST2772549684209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:28.513681889 CEST4968427725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:28.647469997 CEST2772549684209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:28.652981997 CEST4968427725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:28.789064884 CEST2772549684209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:28.789145947 CEST4968427725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:28.922751904 CEST2772549684209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:28.922842979 CEST4968427725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:29.056262016 CEST2772549684209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:29.056349039 CEST4968427725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:29.190498114 CEST2772549684209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:29.190584898 CEST4968427725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:29.328551054 CEST2772549684209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:29.328627110 CEST4968427725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:29.461513996 CEST2772549684209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:29.461592913 CEST4968427725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:29.594440937 CEST2772549684209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:29.595954895 CEST4968427725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:29.610259056 CEST4968427725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:33.776952982 CEST4968927725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:33.796523094 CEST2772549689209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:33.796725988 CEST4968927725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:33.797666073 CEST4968927725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:34.027232885 CEST4968927725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:34.339660883 CEST4968927725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:34.594789982 CEST2772549689209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:34.594961882 CEST4968927725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:34.688628912 CEST2772549689209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:34.949069977 CEST4968927725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:35.045114040 CEST2772549689209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:35.045214891 CEST4968927725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:35.180012941 CEST2772549689209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:35.180094957 CEST4968927725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:35.315352917 CEST2772549689209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:35.315531015 CEST4968927725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:35.451826096 CEST2772549689209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:35.451922894 CEST4968927725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:35.585154057 CEST2772549689209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:35.587045908 CEST4968927725192.168.2.4209.25.141.180
      Oct 1, 2022 17:07:35.720773935 CEST2772549689209.25.141.180192.168.2.4
      Oct 1, 2022 17:07:35.720837116 CEST4968927725192.168.2.4209.25.141.180
      TimestampSource PortDest PortSource IPDest IP
      Oct 1, 2022 17:07:14.158483982 CEST5245553192.168.2.48.8.8.8
      Oct 1, 2022 17:07:14.183562040 CEST53524558.8.8.8192.168.2.4
      Oct 1, 2022 17:07:20.279519081 CEST6346753192.168.2.48.8.8.8
      Oct 1, 2022 17:07:20.387448072 CEST53634678.8.8.8192.168.2.4
      Oct 1, 2022 17:07:26.781613111 CEST5044553192.168.2.48.8.8.8
      Oct 1, 2022 17:07:26.800611973 CEST53504458.8.8.8192.168.2.4
      Oct 1, 2022 17:07:33.757738113 CEST5098253192.168.2.48.8.8.8
      Oct 1, 2022 17:07:33.775125980 CEST53509828.8.8.8192.168.2.4
      Oct 1, 2022 17:07:40.021703005 CEST6008053192.168.2.48.8.8.8
      Oct 1, 2022 17:07:40.041121006 CEST53600808.8.8.8192.168.2.4
      Oct 1, 2022 17:07:46.452584028 CEST6110553192.168.2.48.8.8.8
      Oct 1, 2022 17:07:46.469997883 CEST53611058.8.8.8192.168.2.4
      Oct 1, 2022 17:07:52.770283937 CEST5657253192.168.2.48.8.8.8
      Oct 1, 2022 17:07:52.793500900 CEST53565728.8.8.8192.168.2.4
      Oct 1, 2022 17:07:58.805419922 CEST5091153192.168.2.48.8.8.8
      Oct 1, 2022 17:07:58.824583054 CEST53509118.8.8.8192.168.2.4
      Oct 1, 2022 17:08:04.847346067 CEST5968353192.168.2.48.8.8.8
      Oct 1, 2022 17:08:04.881993055 CEST53596838.8.8.8192.168.2.4
      Oct 1, 2022 17:08:11.204330921 CEST6416753192.168.2.48.8.8.8
      Oct 1, 2022 17:08:11.232418060 CEST53641678.8.8.8192.168.2.4
      Oct 1, 2022 17:08:17.174144030 CEST5856553192.168.2.48.8.8.8
      Oct 1, 2022 17:08:17.193731070 CEST53585658.8.8.8192.168.2.4
      Oct 1, 2022 17:08:23.640496969 CEST5223953192.168.2.48.8.8.8
      Oct 1, 2022 17:08:23.669296980 CEST53522398.8.8.8192.168.2.4
      Oct 1, 2022 17:08:29.868820906 CEST6100753192.168.2.48.8.8.8
      Oct 1, 2022 17:08:29.888377905 CEST53610078.8.8.8192.168.2.4
      Oct 1, 2022 17:08:36.457030058 CEST6068653192.168.2.48.8.8.8
      Oct 1, 2022 17:08:36.474857092 CEST53606868.8.8.8192.168.2.4
      Oct 1, 2022 17:08:43.453597069 CEST6112453192.168.2.48.8.8.8
      Oct 1, 2022 17:08:43.482404947 CEST53611248.8.8.8192.168.2.4
      Oct 1, 2022 17:08:49.599940062 CEST5944453192.168.2.48.8.8.8
      Oct 1, 2022 17:08:49.623954058 CEST53594448.8.8.8192.168.2.4
      Oct 1, 2022 17:08:55.983712912 CEST5557053192.168.2.48.8.8.8
      Oct 1, 2022 17:08:56.002808094 CEST53555708.8.8.8192.168.2.4
      Oct 1, 2022 17:09:03.664727926 CEST6490653192.168.2.48.8.8.8
      Oct 1, 2022 17:09:03.688505888 CEST53649068.8.8.8192.168.2.4
      Oct 1, 2022 17:09:12.428196907 CEST5944653192.168.2.48.8.8.8
      Oct 1, 2022 17:09:12.447535038 CEST53594468.8.8.8192.168.2.4
      Oct 1, 2022 17:09:18.868763924 CEST5086153192.168.2.48.8.8.8
      Oct 1, 2022 17:09:18.888529062 CEST53508618.8.8.8192.168.2.4
      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
      Oct 1, 2022 17:07:14.158483982 CEST192.168.2.48.8.8.80xec05Standard query (0)cable-corporation.at.playit.ggA (IP address)IN (0x0001)false
      Oct 1, 2022 17:07:20.279519081 CEST192.168.2.48.8.8.80xbeb2Standard query (0)cable-corporation.at.playit.ggA (IP address)IN (0x0001)false
      Oct 1, 2022 17:07:26.781613111 CEST192.168.2.48.8.8.80x5172Standard query (0)cable-corporation.at.playit.ggA (IP address)IN (0x0001)false
      Oct 1, 2022 17:07:33.757738113 CEST192.168.2.48.8.8.80x7d25Standard query (0)cable-corporation.at.playit.ggA (IP address)IN (0x0001)false
      Oct 1, 2022 17:07:40.021703005 CEST192.168.2.48.8.8.80x4e43Standard query (0)cable-corporation.at.playit.ggA (IP address)IN (0x0001)false
      Oct 1, 2022 17:07:46.452584028 CEST192.168.2.48.8.8.80x2306Standard query (0)cable-corporation.at.playit.ggA (IP address)IN (0x0001)false
      Oct 1, 2022 17:07:52.770283937 CEST192.168.2.48.8.8.80x8992Standard query (0)cable-corporation.at.playit.ggA (IP address)IN (0x0001)false
      Oct 1, 2022 17:07:58.805419922 CEST192.168.2.48.8.8.80xdcStandard query (0)cable-corporation.at.playit.ggA (IP address)IN (0x0001)false
      Oct 1, 2022 17:08:04.847346067 CEST192.168.2.48.8.8.80x3d28Standard query (0)cable-corporation.at.playit.ggA (IP address)IN (0x0001)false
      Oct 1, 2022 17:08:11.204330921 CEST192.168.2.48.8.8.80xec95Standard query (0)cable-corporation.at.playit.ggA (IP address)IN (0x0001)false
      Oct 1, 2022 17:08:17.174144030 CEST192.168.2.48.8.8.80x96f1Standard query (0)cable-corporation.at.playit.ggA (IP address)IN (0x0001)false
      Oct 1, 2022 17:08:23.640496969 CEST192.168.2.48.8.8.80xe397Standard query (0)cable-corporation.at.playit.ggA (IP address)IN (0x0001)false
      Oct 1, 2022 17:08:29.868820906 CEST192.168.2.48.8.8.80x76bcStandard query (0)cable-corporation.at.playit.ggA (IP address)IN (0x0001)false
      Oct 1, 2022 17:08:36.457030058 CEST192.168.2.48.8.8.80xb2d7Standard query (0)cable-corporation.at.playit.ggA (IP address)IN (0x0001)false
      Oct 1, 2022 17:08:43.453597069 CEST192.168.2.48.8.8.80xd063Standard query (0)cable-corporation.at.playit.ggA (IP address)IN (0x0001)false
      Oct 1, 2022 17:08:49.599940062 CEST192.168.2.48.8.8.80xf917Standard query (0)cable-corporation.at.playit.ggA (IP address)IN (0x0001)false
      Oct 1, 2022 17:08:55.983712912 CEST192.168.2.48.8.8.80xdcffStandard query (0)cable-corporation.at.playit.ggA (IP address)IN (0x0001)false
      Oct 1, 2022 17:09:03.664727926 CEST192.168.2.48.8.8.80xd6c3Standard query (0)cable-corporation.at.playit.ggA (IP address)IN (0x0001)false
      Oct 1, 2022 17:09:12.428196907 CEST192.168.2.48.8.8.80x24e4Standard query (0)cable-corporation.at.playit.ggA (IP address)IN (0x0001)false
      Oct 1, 2022 17:09:18.868763924 CEST192.168.2.48.8.8.80xa7a0Standard query (0)cable-corporation.at.playit.ggA (IP address)IN (0x0001)false
      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Oct 1, 2022 17:07:14.183562040 CEST8.8.8.8192.168.2.40xec05No error (0)cable-corporation.at.playit.gg209.25.141.180A (IP address)IN (0x0001)false
      Oct 1, 2022 17:07:20.387448072 CEST8.8.8.8192.168.2.40xbeb2No error (0)cable-corporation.at.playit.gg209.25.141.180A (IP address)IN (0x0001)false
      Oct 1, 2022 17:07:26.800611973 CEST8.8.8.8192.168.2.40x5172No error (0)cable-corporation.at.playit.gg209.25.141.180A (IP address)IN (0x0001)false
      Oct 1, 2022 17:07:33.775125980 CEST8.8.8.8192.168.2.40x7d25No error (0)cable-corporation.at.playit.gg209.25.141.180A (IP address)IN (0x0001)false
      Oct 1, 2022 17:07:40.041121006 CEST8.8.8.8192.168.2.40x4e43No error (0)cable-corporation.at.playit.gg209.25.141.180A (IP address)IN (0x0001)false
      Oct 1, 2022 17:07:46.469997883 CEST8.8.8.8192.168.2.40x2306No error (0)cable-corporation.at.playit.gg209.25.141.180A (IP address)IN (0x0001)false
      Oct 1, 2022 17:07:52.793500900 CEST8.8.8.8192.168.2.40x8992No error (0)cable-corporation.at.playit.gg209.25.141.180A (IP address)IN (0x0001)false
      Oct 1, 2022 17:07:58.824583054 CEST8.8.8.8192.168.2.40xdcNo error (0)cable-corporation.at.playit.gg209.25.141.180A (IP address)IN (0x0001)false
      Oct 1, 2022 17:08:04.881993055 CEST8.8.8.8192.168.2.40x3d28No error (0)cable-corporation.at.playit.gg209.25.141.180A (IP address)IN (0x0001)false
      Oct 1, 2022 17:08:11.232418060 CEST8.8.8.8192.168.2.40xec95No error (0)cable-corporation.at.playit.gg209.25.141.180A (IP address)IN (0x0001)false
      Oct 1, 2022 17:08:17.193731070 CEST8.8.8.8192.168.2.40x96f1No error (0)cable-corporation.at.playit.gg209.25.141.180A (IP address)IN (0x0001)false
      Oct 1, 2022 17:08:23.669296980 CEST8.8.8.8192.168.2.40xe397No error (0)cable-corporation.at.playit.gg209.25.141.180A (IP address)IN (0x0001)false
      Oct 1, 2022 17:08:29.888377905 CEST8.8.8.8192.168.2.40x76bcNo error (0)cable-corporation.at.playit.gg209.25.141.180A (IP address)IN (0x0001)false
      Oct 1, 2022 17:08:36.474857092 CEST8.8.8.8192.168.2.40xb2d7No error (0)cable-corporation.at.playit.gg209.25.141.180A (IP address)IN (0x0001)false
      Oct 1, 2022 17:08:43.482404947 CEST8.8.8.8192.168.2.40xd063No error (0)cable-corporation.at.playit.gg209.25.141.180A (IP address)IN (0x0001)false
      Oct 1, 2022 17:08:49.623954058 CEST8.8.8.8192.168.2.40xf917No error (0)cable-corporation.at.playit.gg209.25.141.180A (IP address)IN (0x0001)false
      Oct 1, 2022 17:08:56.002808094 CEST8.8.8.8192.168.2.40xdcffNo error (0)cable-corporation.at.playit.gg209.25.141.180A (IP address)IN (0x0001)false
      Oct 1, 2022 17:09:03.688505888 CEST8.8.8.8192.168.2.40xd6c3No error (0)cable-corporation.at.playit.gg209.25.141.180A (IP address)IN (0x0001)false
      Oct 1, 2022 17:09:12.447535038 CEST8.8.8.8192.168.2.40x24e4No error (0)cable-corporation.at.playit.gg209.25.141.180A (IP address)IN (0x0001)false
      Oct 1, 2022 17:09:18.888529062 CEST8.8.8.8192.168.2.40xa7a0No error (0)cable-corporation.at.playit.gg209.25.141.180A (IP address)IN (0x0001)false

      Click to jump to process

      Target ID:0
      Start time:17:07:11
      Start date:01/10/2022
      Path:C:\Users\user\Desktop\G62PnhPS1s.exe
      Wow64 process (32bit):true
      Commandline:C:\Users\user\Desktop\G62PnhPS1s.exe
      Imagebase:0x400000
      File size:1246208 bytes
      MD5 hash:07653FD9F64401F9F1696F4782C926F4
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Yara matches:
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
      • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmp, Author: ditekSHen
      • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.579918584.0000000005D60000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.579790309.0000000005AD0000.00000004.10000000.00040000.00000000.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000000.00000002.579790309.0000000005AD0000.00000004.10000000.00040000.00000000.sdmp, Author: Florian Roth
      • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.579790309.0000000005AD0000.00000004.10000000.00040000.00000000.sdmp, Author: ditekSHen
      • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.579790309.0000000005AD0000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
      • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.575419070.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
      Reputation:low

      Target ID:1
      Start time:17:07:12
      Start date:01/10/2022
      Path:C:\Windows\SysWOW64\schtasks.exe
      Wow64 process (32bit):true
      Commandline:schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpF33C.tmp
      Imagebase:0x1f0000
      File size:185856 bytes
      MD5 hash:15FF7D8324231381BAD48A052F85DF04
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Target ID:2
      Start time:17:07:12
      Start date:01/10/2022
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff7c72c0000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Target ID:3
      Start time:17:07:13
      Start date:01/10/2022
      Path:C:\Windows\SysWOW64\schtasks.exe
      Wow64 process (32bit):true
      Commandline:schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpF531.tmp
      Imagebase:0x1f0000
      File size:185856 bytes
      MD5 hash:15FF7D8324231381BAD48A052F85DF04
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Target ID:4
      Start time:17:07:13
      Start date:01/10/2022
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff7c72c0000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Target ID:5
      Start time:17:07:14
      Start date:01/10/2022
      Path:C:\Users\user\Desktop\G62PnhPS1s.exe
      Wow64 process (32bit):true
      Commandline:C:\Users\user\Desktop\G62PnhPS1s.exe 0
      Imagebase:0x400000
      File size:1246208 bytes
      MD5 hash:07653FD9F64401F9F1696F4782C926F4
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Yara matches:
      • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000002.329900820.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.324622791.0000000000402000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.324622791.0000000000402000.00000040.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000002.324622791.0000000000402000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
      • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.329067555.0000000003251000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000002.329067555.0000000003251000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
      Reputation:low

      Target ID:6
      Start time:17:07:14
      Start date:01/10/2022
      Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Wow64 process (32bit):true
      Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
      Imagebase:0x400000
      File size:1246208 bytes
      MD5 hash:07653FD9F64401F9F1696F4782C926F4
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Yara matches:
      • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.329734424.000000000422E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
      • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.329633274.0000000004219000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
      • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.329073054.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.329073054.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
      • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
      Antivirus matches:
      • Detection: 100%, Avira
      • Detection: 100%, Joe Sandbox ML
      • Detection: 85%, ReversingLabs
      • Detection: 51%, Virustotal, Browse
      Reputation:low

      Target ID:7
      Start time:17:07:24
      Start date:01/10/2022
      Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Wow64 process (32bit):true
      Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
      Imagebase:0x400000
      File size:1246208 bytes
      MD5 hash:07653FD9F64401F9F1696F4782C926F4
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:Borland Delphi
      Reputation:low

      No disassembly