Edit tour

Windows Analysis Report
646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe

Overview

General Information

Sample Name:	646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Analysis ID:	797493
MD5:	e01a14abc90acecb1fe2aba8d3adb71f
SHA1:	1dbe3b0d1e76eef6e1cd8c28e59a67b067eb6988
SHA256:	646b292f7a79327604ddfdb0f535ee8d3832e46dc86a980986016fdba3d64627
Tags:	exeNanoCoreRAT
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Cassandra Crypter

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Antivirus / Scanner detection for submitted sample

Sigma detected: Scheduled temp file as task from temp location

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses dynamic DNS services

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe (PID: 1228 cmdline: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe MD5: E01A14ABC90ACECB1FE2ABA8D3ADB71F)

schtasks.exe (PID: 1308 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbVCUlv" /XML "C:\Users\user\AppData\Local\Temp\tmp9381.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 1236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe (PID: 5724 cmdline: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe MD5: E01A14ABC90ACECB1FE2ABA8D3ADB71F)

schtasks.exe (PID: 5060 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpBC6A.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 2024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5128 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpBDD3.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 1504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe (PID: 1900 cmdline: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe 0 MD5: E01A14ABC90ACECB1FE2ABA8D3ADB71F)

schtasks.exe (PID: 5004 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbVCUlv" /XML "C:\Users\user\AppData\Local\Temp\tmpA582.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe (PID: 5244 cmdline: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe MD5: E01A14ABC90ACECB1FE2ABA8D3ADB71F)

hbVCUlv.exe (PID: 6028 cmdline: C:\Users\user\AppData\Roaming\hbVCUlv.exe MD5: E01A14ABC90ACECB1FE2ABA8D3ADB71F)

schtasks.exe (PID: 5172 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbVCUlv" /XML "C:\Users\user\AppData\Local\Temp\tmp8DA5.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

hbVCUlv.exe (PID: 1228 cmdline: C:\Users\user\AppData\Roaming\hbVCUlv.exe MD5: E01A14ABC90ACECB1FE2ABA8D3ADB71F)

dhcpmon.exe (PID: 4788 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: E01A14ABC90ACECB1FE2ABA8D3ADB71F)

schtasks.exe (PID: 6044 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbVCUlv" /XML "C:\Users\user\AppData\Local\Temp\tmpA776.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 6088 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: E01A14ABC90ACECB1FE2ABA8D3ADB71F)

dhcpmon.exe (PID: 4600 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: E01A14ABC90ACECB1FE2ABA8D3ADB71F)

schtasks.exe (PID: 4492 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbVCUlv" /XML "C:\Users\user\AppData\Local\Temp\tmpCABE.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 5072 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: E01A14ABC90ACECB1FE2ABA8D3ADB71F)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "10210cfb-2ea1-47f3-8c75-6fce83e4", "Group": "oob", "Domain1": "brianbriano.ddns.net", "Domain2": "127.0.0.1", "Port": 10001, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000010.00000002.343692976.0000000002801000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.343692976.0000000002801000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x238a7:$a: NanoCore 0x23900:$a: NanoCore 0x2393d:$a: NanoCore 0x239b6:$a: NanoCore 0x23909:$b: ClientPlugin 0x23946:$b: ClientPlugin 0x24244:$b: ClientPlugin 0x24251:$b: ClientPlugin 0x1b605:$e: KeepAlive 0x23d91:$g: LogClientMessage 0x23d11:$i: get_Connected 0x158d9:$j: #=q 0x15909:$j: #=q 0x15945:$j: #=q 0x1596d:$j: #=q 0x1599d:$j: #=q 0x159cd:$j: #=q 0x159fd:$j: #=q 0x15a2d:$j: #=q 0x15a49:$j: #=q 0x15a79:$j: #=q
00000010.00000002.343692976.0000000002801000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2393d:$a1: NanoCore.ClientPluginHost 0x23900:$a2: NanoCore.ClientPlugin 0x16e13:$b1: get_BuilderSettings 0x23cd4:$b1: get_BuilderSettings 0x2398b:$b4: IClientAppHost 0x23d45:$b6: AddHostEntry 0x16d82:$b7: LogClientException 0x23db4:$b7: LogClientException 0x23d29:$b8: PipeExists 0x23978:$b9: IClientLoggingHost
00000000.00000002.307508938.0000000002B6A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CassandraCrypter	Yara detected Cassandra Crypter	Joe Security
00000008.00000002.318734843.0000000002ECA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CassandraCrypter	Yara detected Cassandra Crypter	Joe Security
00000013.00000002.355128673.0000000003151000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000002.355128673.0000000003151000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x237db:$a: NanoCore 0x23834:$a: NanoCore 0x23871:$a: NanoCore 0x238ea:$a: NanoCore 0x2383d:$b: ClientPlugin 0x2387a:$b: ClientPlugin 0x24178:$b: ClientPlugin 0x24185:$b: ClientPlugin 0x1b539:$e: KeepAlive 0x23cc5:$g: LogClientMessage 0x23c45:$i: get_Connected 0x1580d:$j: #=q 0x1583d:$j: #=q 0x15879:$j: #=q 0x158a1:$j: #=q 0x158d1:$j: #=q 0x15901:$j: #=q 0x15931:$j: #=q 0x15961:$j: #=q 0x1597d:$j: #=q 0x159ad:$j: #=q
00000013.00000002.355128673.0000000003151000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x23871:$a1: NanoCore.ClientPluginHost 0x23834:$a2: NanoCore.ClientPlugin 0x16d47:$b1: get_BuilderSettings 0x23c08:$b1: get_BuilderSettings 0x238bf:$b4: IClientAppHost 0x23c79:$b6: AddHostEntry 0x16cb6:$b7: LogClientException 0x23ce8:$b7: LogClientException 0x23c5d:$b8: PipeExists 0x238ac:$b9: IClientLoggingHost
00000009.00000002.331266992.000000000371A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CassandraCrypter	Yara detected Cassandra Crypter	Joe Security
00000003.00000002.578951789.0000000005B70000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000003.00000002.578951789.0000000005B70000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000003.00000002.578951789.0000000005B70000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
00000003.00000002.578951789.0000000005B70000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
00000000.00000002.314033178.00000000051D0000.00000004.08000000.00040000.00000000.sdmp	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x45855:$name: ConfuserEx 0x44d85:$compile: AssemblyTitle
00000000.00000002.314033178.00000000051D0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_EXE_Packed_Cassandra	Detects executables packed with Cassandra/CyaX	ditekSHen	0x45a43:$c1: CyaX-Sharp 0x461e4:$c1: CyaX-Sharp 0x4624c:$c1: CyaX-Sharp 0x46308:$c1: CyaX-Sharp 0x46348:$c1: CyaX-Sharp 0x440a2:$c2: CyaX_Sharp 0x44a03:$c2: CyaX_Sharp 0x44f4f:$c2: CyaX_Sharp
00000000.00000002.311567488.0000000003B31000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xfd44d:$x1: NanoCore.ClientPluginHost 0x12fe6d:$x1: NanoCore.ClientPluginHost 0xfd48a:$x2: IClientNetworkHost 0x12feaa:$x2: IClientNetworkHost 0x100fbd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1339dd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.311567488.0000000003B31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.311567488.0000000003B31000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfd1b5:$a: NanoCore 0xfd1c5:$a: NanoCore 0xfd3f9:$a: NanoCore 0xfd40d:$a: NanoCore 0xfd44d:$a: NanoCore 0x12fbd5:$a: NanoCore 0x12fbe5:$a: NanoCore 0x12fe19:$a: NanoCore 0x12fe2d:$a: NanoCore 0x12fe6d:$a: NanoCore 0xfd214:$b: ClientPlugin 0xfd416:$b: ClientPlugin 0xfd456:$b: ClientPlugin 0x12fc34:$b: ClientPlugin 0x12fe36:$b: ClientPlugin 0x12fe76:$b: ClientPlugin 0xfd33b:$c: ProjectData 0x12fd5b:$c: ProjectData 0xfdd42:$d: DESCrypto 0x130762:$d: DESCrypto 0x10570e:$e: KeepAlive
00000000.00000002.311567488.0000000003B31000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xfd44d:$a1: NanoCore.ClientPluginHost 0x12fe6d:$a1: NanoCore.ClientPluginHost 0xfd40d:$a2: NanoCore.ClientPlugin 0x12fe2d:$a2: NanoCore.ClientPlugin 0xff366:$b1: get_BuilderSettings 0x131d86:$b1: get_BuilderSettings 0xfd269:$b2: ClientLoaderForm.resources 0x12fc89:$b2: ClientLoaderForm.resources 0xfea86:$b3: PluginCommand 0x1314a6:$b3: PluginCommand 0xfd43e:$b4: IClientAppHost 0x12fe5e:$b4: IClientAppHost 0x1078be:$b5: GetBlockHash 0x13a2de:$b5: GetBlockHash 0xff9be:$b6: AddHostEntry 0x1323de:$b6: AddHostEntry 0x1036b1:$b7: LogClientException 0x1360d1:$b7: LogClientException 0xff92b:$b8: PipeExists 0x13234b:$b8: PipeExists 0xfd477:$b9: IClientLoggingHost
00000000.00000002.314578400.0000000005E90000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CassandraCrypter	Yara detected Cassandra Crypter	Joe Security
00000000.00000002.314578400.0000000005E90000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_EXE_Packed_Cassandra	Detects executables packed with Cassandra/CyaX	ditekSHen	0x254f:$pdb: \CyaX\obj\Debug\CyaX.pdb
00000003.00000002.573594094.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x11525:$a1: NanoCore.ClientPluginHost 0x114e8:$a2: NanoCore.ClientPlugin 0x118bc:$b1: get_BuilderSettings 0x11573:$b4: IClientAppHost 0x1192d:$b6: AddHostEntry 0x1199c:$b7: LogClientException 0x11911:$b8: PipeExists 0x11560:$b9: IClientLoggingHost
0000000D.00000002.324082470.000000000315A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CassandraCrypter	Yara detected Cassandra Crypter	Joe Security
00000003.00000002.579080815.0000000005E10000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000003.00000002.579080815.0000000005E10000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000003.00000002.579080815.0000000005E10000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000002.579080815.0000000005E10000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
00000003.00000002.579080815.0000000005E10000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
0000000C.00000002.342518655.0000000003621000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.342518655.0000000003621000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x23983:$a: NanoCore 0x239dc:$a: NanoCore 0x23a19:$a: NanoCore 0x23a92:$a: NanoCore 0x239e5:$b: ClientPlugin 0x23a22:$b: ClientPlugin 0x24320:$b: ClientPlugin 0x2432d:$b: ClientPlugin 0x1b6e1:$e: KeepAlive 0x23e6d:$g: LogClientMessage 0x23ded:$i: get_Connected 0x159b5:$j: #=q 0x159e5:$j: #=q 0x15a21:$j: #=q 0x15a49:$j: #=q 0x15a79:$j: #=q 0x15aa9:$j: #=q 0x15ad9:$j: #=q 0x15b09:$j: #=q 0x15b25:$j: #=q 0x15b55:$j: #=q
0000000C.00000002.342518655.0000000003621000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x23a19:$a1: NanoCore.ClientPluginHost 0x239dc:$a2: NanoCore.ClientPlugin 0x16eef:$b1: get_BuilderSettings 0x23db0:$b1: get_BuilderSettings 0x23a67:$b4: IClientAppHost 0x23e21:$b6: AddHostEntry 0x16e5e:$b7: LogClientException 0x23e90:$b7: LogClientException 0x23e05:$b8: PipeExists 0x23a54:$b9: IClientLoggingHost
0000000C.00000002.342969185.0000000004621000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.342969185.0000000004621000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x49a45:$a: NanoCore 0x49a9e:$a: NanoCore 0x49adb:$a: NanoCore 0x49b54:$a: NanoCore 0x5d1ff:$a: NanoCore 0x5d214:$a: NanoCore 0x5d249:$a: NanoCore 0x761d3:$a: NanoCore 0x761e8:$a: NanoCore 0x7621d:$a: NanoCore 0x49aa7:$b: ClientPlugin 0x49ae4:$b: ClientPlugin 0x4a3e2:$b: ClientPlugin 0x4a3ef:$b: ClientPlugin 0x5cfbb:$b: ClientPlugin 0x5cfd6:$b: ClientPlugin 0x5d006:$b: ClientPlugin 0x5d21d:$b: ClientPlugin 0x5d252:$b: ClientPlugin 0x75f8f:$b: ClientPlugin 0x75faa:$b: ClientPlugin
0000000C.00000002.342969185.0000000004621000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x49adb:$a1: NanoCore.ClientPluginHost 0x5d249:$a1: NanoCore.ClientPluginHost 0x7621d:$a1: NanoCore.ClientPluginHost 0x49a9e:$a2: NanoCore.ClientPlugin 0x5d214:$a2: NanoCore.ClientPlugin 0x761e8:$a2: NanoCore.ClientPlugin 0x49e72:$b1: get_BuilderSettings 0x6218f:$b1: get_BuilderSettings 0x7b163:$b1: get_BuilderSettings 0x49b29:$b4: IClientAppHost 0x49ee3:$b6: AddHostEntry 0x49f52:$b7: LogClientException 0x620fe:$b7: LogClientException 0x7b0d2:$b7: LogClientException 0x49ec7:$b8: PipeExists 0x49b16:$b9: IClientLoggingHost 0x5d263:$b9: IClientLoggingHost 0x76237:$b9: IClientLoggingHost
0000000C.00000002.332550764.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.332550764.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.332550764.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000C.00000002.332550764.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xff8d:$a1: NanoCore.ClientPluginHost 0xff4d:$a2: NanoCore.ClientPlugin 0x11ea6:$b1: get_BuilderSettings 0xfda9:$b2: ClientLoaderForm.resources 0x115c6:$b3: PluginCommand 0xff7e:$b4: IClientAppHost 0x1a3fe:$b5: GetBlockHash 0x124fe:$b6: AddHostEntry 0x161f1:$b7: LogClientException 0x1246b:$b8: PipeExists 0xffb7:$b9: IClientLoggingHost
Process Memory Space: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe PID: 1228	JoeSecurity_CassandraCrypter	Yara detected Cassandra Crypter	Joe Security
Process Memory Space: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe PID: 1228	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe PID: 5724	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe PID: 5724	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1a2b1:$a: NanoCore 0x2eb80:$a: NanoCore 0x2ebd9:$a: NanoCore 0x2ec16:$a: NanoCore 0x2ec8f:$a: NanoCore 0x2f548:$a: NanoCore 0x2f59b:$a: NanoCore 0x2f5d4:$a: NanoCore 0x2f647:$a: NanoCore 0x5970a:$a: NanoCore 0x59763:$a: NanoCore 0x597a0:$a: NanoCore 0x59819:$a: NanoCore 0x5a0be:$a: NanoCore 0x5a111:$a: NanoCore 0x5a14a:$a: NanoCore 0x5a1bd:$a: NanoCore 0xa0a5a:$a: NanoCore 0xa0a6f:$a: NanoCore 0xa0aa4:$a: NanoCore 0xa5c26:$a: NanoCore
Process Memory Space: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe PID: 5724	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2ec16:$a1: NanoCore.ClientPluginHost 0x597a0:$a1: NanoCore.ClientPluginHost 0xa0aa4:$a1: NanoCore.ClientPluginHost 0x2ebd9:$a2: NanoCore.ClientPlugin 0x59763:$a2: NanoCore.ClientPlugin 0xa0a6f:$a2: NanoCore.ClientPlugin 0x2ef90:$b1: get_BuilderSettings 0x59b06:$b1: get_BuilderSettings 0xa5876:$b1: get_BuilderSettings 0x2ec64:$b4: IClientAppHost 0x597ee:$b4: IClientAppHost 0x2f001:$b6: AddHostEntry 0x59b77:$b6: AddHostEntry 0x2f070:$b7: LogClientException 0x59be6:$b7: LogClientException 0xa57e5:$b7: LogClientException 0x2efe5:$b8: PipeExists 0x59b5b:$b8: PipeExists 0x2ec51:$b9: IClientLoggingHost 0x597db:$b9: IClientLoggingHost 0xa0abe:$b9: IClientLoggingHost
Process Memory Space: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe PID: 1900	JoeSecurity_CassandraCrypter	Yara detected Cassandra Crypter	Joe Security
Process Memory Space: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe PID: 1900	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: hbVCUlv.exe PID: 6028	JoeSecurity_CassandraCrypter	Yara detected Cassandra Crypter	Joe Security
Process Memory Space: hbVCUlv.exe PID: 6028	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe PID: 5244	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1479b:$x1: NanoCore.ClientPluginHost 0x17524:$x1: NanoCore.ClientPluginHost 0x2bd7c:$x1: NanoCore.ClientPluginHost 0x147b5:$x2: IClientNetworkHost 0x1753e:$x2: IClientNetworkHost 0x2bdb9:$x2: IClientNetworkHost 0x2f8aa:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3a930:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe PID: 5244	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe PID: 5244	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5708:$a: NanoCore 0x6133:$a: NanoCore 0xb555:$a: NanoCore 0xb5c3:$a: NanoCore 0xb63d:$a: NanoCore 0x14705:$a: NanoCore 0x1475e:$a: NanoCore 0x1479b:$a: NanoCore 0x14814:$a: NanoCore 0x14fa0:$a: NanoCore 0x14ff3:$a: NanoCore 0x1502c:$a: NanoCore 0x1509f:$a: NanoCore 0x15dd4:$a: NanoCore 0x16120:$a: NanoCore 0x1748e:$a: NanoCore 0x174e7:$a: NanoCore 0x17524:$a: NanoCore 0x1759d:$a: NanoCore 0x17e56:$a: NanoCore 0x17ea9:$a: NanoCore
Process Memory Space: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe PID: 5244	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1479b:$a1: NanoCore.ClientPluginHost 0x17524:$a1: NanoCore.ClientPluginHost 0x2bd7c:$a1: NanoCore.ClientPluginHost 0x1475e:$a2: NanoCore.ClientPlugin 0x174e7:$a2: NanoCore.ClientPlugin 0x2bd3c:$a2: NanoCore.ClientPlugin 0xdee1:$b1: get_BuilderSettings 0x1789e:$b1: get_BuilderSettings 0x2dc53:$b1: get_BuilderSettings 0x2bafd:$b2: ClientLoaderForm.resources 0x2d373:$b3: PluginCommand 0x147e9:$b4: IClientAppHost 0x17572:$b4: IClientAppHost 0x2bd6d:$b4: IClientAppHost 0x361a6:$b5: GetBlockHash 0x14af4:$b6: AddHostEntry 0x1790f:$b6: AddHostEntry 0x2e2ab:$b6: AddHostEntry 0x393ca:$b6: AddHostEntry 0xde50:$b7: LogClientException 0x1797e:$b7: LogClientException
Process Memory Space: dhcpmon.exe PID: 4788	JoeSecurity_CassandraCrypter	Yara detected Cassandra Crypter	Joe Security
Process Memory Space: dhcpmon.exe PID: 4788	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dhcpmon.exe PID: 6088	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 6088	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x620:$a: NanoCore 0x68e:$a: NanoCore 0x701:$a: NanoCore 0x97a9:$a: NanoCore 0x9802:$a: NanoCore 0x983f:$a: NanoCore 0x98b8:$a: NanoCore 0xa044:$a: NanoCore 0xa097:$a: NanoCore 0xa0d0:$a: NanoCore 0xa143:$a: NanoCore 0xadd5:$a: NanoCore 0xae90:$a: NanoCore 0xd5f3:$a: NanoCore 0xd607:$a: NanoCore 0x1314a:$a: NanoCore 0x4b0d:$b: ClientPlugin 0x4b4e:$b: ClientPlugin 0x980b:$b: ClientPlugin 0x9848:$b: ClientPlugin 0x9ff4:$b: ClientPlugin
Process Memory Space: dhcpmon.exe PID: 6088	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x983f:$a1: NanoCore.ClientPluginHost 0x9802:$a2: NanoCore.ClientPlugin 0x2f7e:$b1: get_BuilderSettings 0x988d:$b4: IClientAppHost 0x9b98:$b6: AddHostEntry 0x2eed:$b7: LogClientException 0x9b7c:$b8: PipeExists 0x987a:$b9: IClientLoggingHost
Process Memory Space: hbVCUlv.exe PID: 1228	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: hbVCUlv.exe PID: 1228	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x7ad:$a: NanoCore 0x81b:$a: NanoCore 0x8aa:$a: NanoCore 0x9906:$a: NanoCore 0x995f:$a: NanoCore 0x999c:$a: NanoCore 0x9a15:$a: NanoCore 0xa1a1:$a: NanoCore 0xa1f4:$a: NanoCore 0xa22d:$a: NanoCore 0xa2a0:$a: NanoCore 0xaf1c:$a: NanoCore 0xafc9:$a: NanoCore 0x4c6a:$b: ClientPlugin 0x4cab:$b: ClientPlugin 0x9968:$b: ClientPlugin 0x99a5:$b: ClientPlugin 0xa151:$b: ClientPlugin 0xa15e:$b: ClientPlugin 0xa1fd:$b: ClientPlugin 0xa236:$b: ClientPlugin
Process Memory Space: hbVCUlv.exe PID: 1228	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x999c:$a1: NanoCore.ClientPluginHost 0x995f:$a2: NanoCore.ClientPlugin 0x30db:$b1: get_BuilderSettings 0x99ea:$b4: IClientAppHost 0x9cf5:$b6: AddHostEntry 0x304a:$b7: LogClientException 0x9cd9:$b8: PipeExists 0x99d7:$b9: IClientLoggingHost
Click to see the 54 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e90000.6.unpack	INDICATOR_EXE_Packed_Cassandra	Detects executables packed with Cassandra/CyaX	ditekSHen	0x74f:$pdb: \CyaX\obj\Debug\CyaX.pdb
12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.400000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.400000.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
9.2.hbVCUlv.exe.3731598.1.raw.unpack	JoeSecurity_CassandraCrypter	Yara detected Cassandra Crypter	Joe Security
9.2.hbVCUlv.exe.3731598.1.raw.unpack	INDICATOR_EXE_Packed_Cassandra	Detects executables packed with Cassandra/CyaX	ditekSHen	0x254f:$pdb: \CyaX\obj\Debug\CyaX.pdb
3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e10000.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e10000.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e10000.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e10000.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e10000.6.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3cfb720.2.raw.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x45855:$name: ConfuserEx 0x44d85:$compile: AssemblyTitle
0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3cfb720.2.raw.unpack	INDICATOR_EXE_Packed_Cassandra	Detects executables packed with Cassandra/CyaX	ditekSHen	0x45a43:$c1: CyaX-Sharp 0x461e4:$c1: CyaX-Sharp 0x4624c:$c1: CyaX-Sharp 0x46308:$c1: CyaX-Sharp 0x46348:$c1: CyaX-Sharp 0x440a2:$c2: CyaX_Sharp 0x44a03:$c2: CyaX_Sharp 0x44f4f:$c2: CyaX_Sharp
12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.466ea9c.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28781:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287ae:$x2: IClientNetworkHost
12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.466ea9c.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28781:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2985c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x2879b:$s5: IClientLoggingHost
12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.466ea9c.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.466ea9c.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0x2874c:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0x28781:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0x28740:$i2: IClientData 0xf78e:$i3: IClientNetwork 0x28762:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0x28771:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0x2879b:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0x287ae:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0x287c1:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0x287cf:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0x287eb:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin
12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.466ea9c.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0x28781:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x2874c:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x2d6c7:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0x2d636:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost 0x2879b:$b9: IClientLoggingHost
0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.51d0000.5.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x43a55:$name: ConfuserEx 0x42f85:$compile: AssemblyTitle
0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.51d0000.5.unpack	INDICATOR_EXE_Packed_Cassandra	Detects executables packed with Cassandra/CyaX	ditekSHen	0x43c43:$c1: CyaX-Sharp 0x443e4:$c1: CyaX-Sharp 0x4444c:$c1: CyaX-Sharp 0x44508:$c1: CyaX-Sharp 0x44548:$c1: CyaX-Sharp 0x422a2:$c2: CyaX_Sharp 0x42c03:$c2: CyaX_Sharp 0x4314f:$c2: CyaX_Sharp
3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e10000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e10000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e10000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e10000.6.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e10000.6.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.46730c5.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x1: NanoCore.ClientPluginHost 0x24158:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x24185:$x2: IClientNetworkHost
12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.46730c5.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x2: NanoCore.ClientPluginHost 0x24158:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x25233:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x24172:$s5: IClientLoggingHost
12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.46730c5.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.46730c5.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0x24123:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0x24158:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0x24117:$i2: IClientData 0xb165:$i3: IClientNetwork 0x24139:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0x24148:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0x24172:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0x24185:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0x24198:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0x241a6:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0x241c2:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin
12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.46730c5.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0x24158:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x24123:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x2909e:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0x2900d:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost 0x24172:$b9: IClientLoggingHost
0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e90000.6.raw.unpack	JoeSecurity_CassandraCrypter	Yara detected Cassandra Crypter	Joe Security
0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e90000.6.raw.unpack	INDICATOR_EXE_Packed_Cassandra	Detects executables packed with Cassandra/CyaX	ditekSHen	0x254f:$pdb: \CyaX\obj\Debug\CyaX.pdb
3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e14629.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e14629.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e14629.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e14629.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e14629.5.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost
0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
8.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.2ee1600.0.unpack	INDICATOR_EXE_Packed_Cassandra	Detects executables packed with Cassandra/CyaX	ditekSHen	0x74f:$pdb: \CyaX\obj\Debug\CyaX.pdb
8.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.2ee1600.0.raw.unpack	JoeSecurity_CassandraCrypter	Yara detected Cassandra Crypter	Joe Security
8.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.2ee1600.0.raw.unpack	INDICATOR_EXE_Packed_Cassandra	Detects executables packed with Cassandra/CyaX	ditekSHen	0x254f:$pdb: \CyaX\obj\Debug\CyaX.pdb
0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.2b845cc.1.unpack	INDICATOR_EXE_Packed_Cassandra	Detects executables packed with Cassandra/CyaX	ditekSHen	0x74f:$pdb: \CyaX\obj\Debug\CyaX.pdb
9.2.hbVCUlv.exe.3731598.1.unpack	INDICATOR_EXE_Packed_Cassandra	Detects executables packed with Cassandra/CyaX	ditekSHen	0x74f:$pdb: \CyaX\obj\Debug\CyaX.pdb
0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3cfb720.2.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x43a55:$name: ConfuserEx 0x42f85:$compile: AssemblyTitle
0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3cfb720.2.unpack	INDICATOR_EXE_Packed_Cassandra	Detects executables packed with Cassandra/CyaX	ditekSHen	0x43c43:$c1: CyaX-Sharp 0x443e4:$c1: CyaX-Sharp 0x4444c:$c1: CyaX-Sharp 0x44508:$c1: CyaX-Sharp 0x44548:$c1: CyaX-Sharp 0x422a2:$c2: CyaX_Sharp 0x42c03:$c2: CyaX_Sharp 0x4314f:$c2: CyaX_Sharp
0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.2b845cc.1.raw.unpack	JoeSecurity_CassandraCrypter	Yara detected Cassandra Crypter	Joe Security
0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.2b845cc.1.raw.unpack	INDICATOR_EXE_Packed_Cassandra	Detects executables packed with Cassandra/CyaX	ditekSHen	0x254f:$pdb: \CyaX\obj\Debug\CyaX.pdb
13.2.dhcpmon.exe.31715b8.1.raw.unpack	JoeSecurity_CassandraCrypter	Yara detected Cassandra Crypter	Joe Security
13.2.dhcpmon.exe.31715b8.1.raw.unpack	INDICATOR_EXE_Packed_Cassandra	Detects executables packed with Cassandra/CyaX	ditekSHen	0x254f:$pdb: \CyaX\obj\Debug\CyaX.pdb
19.2.hbVCUlv.exe.31739fc.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
19.2.hbVCUlv.exe.31739fc.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
19.2.hbVCUlv.exe.31739fc.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
19.2.hbVCUlv.exe.31739fc.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.466ea9c.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.466ea9c.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.466ea9c.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.466ea9c.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.466ea9c.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
13.2.dhcpmon.exe.31715b8.1.unpack	INDICATOR_EXE_Packed_Cassandra	Detects executables packed with Cassandra/CyaX	ditekSHen	0x74f:$pdb: \CyaX\obj\Debug\CyaX.pdb
16.2.dhcpmon.exe.2823ac8.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
16.2.dhcpmon.exe.2823ac8.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
16.2.dhcpmon.exe.2823ac8.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
16.2.dhcpmon.exe.2823ac8.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.51d0000.5.raw.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x45855:$name: ConfuserEx 0x44d85:$compile: AssemblyTitle
0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.51d0000.5.raw.unpack	INDICATOR_EXE_Packed_Cassandra	Detects executables packed with Cassandra/CyaX	ditekSHen	0x45a43:$c1: CyaX-Sharp 0x461e4:$c1: CyaX-Sharp 0x4624c:$c1: CyaX-Sharp 0x46308:$c1: CyaX-Sharp 0x46348:$c1: CyaX-Sharp 0x440a2:$c2: CyaX_Sharp 0x44a03:$c2: CyaX_Sharp 0x44f4f:$c2: CyaX_Sharp
3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5b70000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5b70000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5b70000.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5b70000.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3643ba4.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3643ba4.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3643ba4.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3643ba4.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.32116b0.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.32116b0.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.32116b0.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.32116b0.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.4669c66.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5b7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d5e4:$x2: IClientNetworkHost
12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.4669c66.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5b7:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e692:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5d1:$s5: IClientLoggingHost
12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.4669c66.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.4669c66.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x145ae:$x2: NanoCore.ClientPlugin 0x2d582:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x145e3:$x3: NanoCore.ClientPluginHost 0x2d5b7:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0x145a2:$i2: IClientData 0x2d576:$i2: IClientData 0xe29:$i3: IClientNetwork 0x145c4:$i3: IClientNetwork 0x2d598:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0x145d3:$i5: IClientDataHost 0x2d5a7:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0x145fd:$i6: IClientLoggingHost 0x2d5d1:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost
12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.4669c66.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d56d:$a: NanoCore 0x2d582:$a: NanoCore 0x2d5b7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d329:$b: ClientPlugin 0x2d344:$b: ClientPlugin
12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.4669c66.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x145e3:$a1: NanoCore.ClientPluginHost 0x2d5b7:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x145ae:$a2: NanoCore.ClientPlugin 0x2d582:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0x19529:$b1: get_BuilderSettings 0x324fd:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x19498:$b7: LogClientException 0x3246c:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost 0x145fd:$b9: IClientLoggingHost 0x2d5d1:$b9: IClientLoggingHost
0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x42925:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42bad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x441e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x441da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4508b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ae42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42bd7:$s5: IClientLoggingHost
0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42915:$x1: NanoCore Client 0x42925:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x42b6d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x42bad:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42b62:$i1: IClientApp 0x10163:$i2: IClientData 0x42b83:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x42b8f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x42b9e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x42bc7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x42bd7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost
0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x42bad:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x42b6d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x44ac6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x429c9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x441e6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x42b9e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4d01e:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x4511e:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x48e11:$b7: LogClientException 0x1266b:$b8: PipeExists 0x4508b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
Click to see the 92 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, ProcessId: 5724, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbVCUlv" /XML "C:\Users\user\AppData\Local\Temp\tmp9381.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbVCUlv" /XML "C:\Users\user\AppData\Local\Temp\tmp9381.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, ParentImage: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, ParentProcessId: 1228, ParentProcessName: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbVCUlv" /XML "C:\Users\user\AppData\Local\Temp\tmp9381.tmp, ProcessId: 1308, ProcessName: schtasks.exe

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Snort Signatures

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 184.105.237.195

Timestamp:	192.168.2.4184.105.237.19549710100012025019 02/03/23-00:28:31.654776
SID:	2025019
Source Port:	49710
Destination Port:	10001
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 184.105.237.195

Timestamp:	192.168.2.4184.105.237.19549710100012816766 02/03/23-00:28:33.834752
SID:	2816766
Source Port:	49710
Destination Port:	10001
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 184.105.237.195

Timestamp:	192.168.2.4184.105.237.19549696100012025019 02/03/23-00:27:05.348657
SID:	2025019
Source Port:	49696
Destination Port:	10001
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 184.105.237.195

Timestamp:	192.168.2.4184.105.237.19549714100012025019 02/03/23-00:28:55.473039
SID:	2025019
Source Port:	49714
Destination Port:	10001
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 184.105.237.195

Timestamp:	192.168.2.4184.105.237.19549703100012025019 02/03/23-00:27:48.578100
SID:	2025019
Source Port:	49703
Destination Port:	10001
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 184.105.237.195

Timestamp:	192.168.2.4184.105.237.19549697100012025019 02/03/23-00:27:11.697985
SID:	2025019
Source Port:	49697
Destination Port:	10001
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 184.105.237.195

Timestamp:	192.168.2.4184.105.237.19549698100012025019 02/03/23-00:27:19.121500
SID:	2025019
Source Port:	49698
Destination Port:	10001
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 184.105.237.195

Timestamp:	192.168.2.4184.105.237.19549709100012025019 02/03/23-00:28:24.651689
SID:	2025019
Source Port:	49709
Destination Port:	10001
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 184.105.237.195

Timestamp:	192.168.2.4184.105.237.19549702100012025019 02/03/23-00:27:42.402353
SID:	2025019
Source Port:	49702
Destination Port:	10001
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 184.105.237.195

Timestamp:	192.168.2.4184.105.237.19549698100012816766 02/03/23-00:27:21.094469
SID:	2816766
Source Port:	49698
Destination Port:	10001
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 184.105.237.195

Timestamp:	192.168.2.4184.105.237.19549715100012816766 02/03/23-00:29:05.373729
SID:	2816766
Source Port:	49715
Destination Port:	10001
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 184.105.237.195

Timestamp:	192.168.2.4184.105.237.19549697100012816766 02/03/23-00:27:13.460347
SID:	2816766
Source Port:	49697
Destination Port:	10001
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 184.105.237.195

Timestamp:	192.168.2.4184.105.237.19549708100012025019 02/03/23-00:28:17.926799
SID:	2025019
Source Port:	49708
Destination Port:	10001
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 184.105.237.195

Timestamp:	192.168.2.4184.105.237.19549696100012816766 02/03/23-00:27:07.112967
SID:	2816766
Source Port:	49696
Destination Port:	10001
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 184.105.237.195

Timestamp:	192.168.2.4184.105.237.19549703100012816766 02/03/23-00:27:50.380926
SID:	2816766
Source Port:	49703
Destination Port:	10001
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 184.105.237.195

Timestamp:	192.168.2.4184.105.237.19549714100012816766 02/03/23-00:28:58.124908
SID:	2816766
Source Port:	49714
Destination Port:	10001
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 184.105.237.195

Timestamp:	192.168.2.4184.105.237.19549704100012816766 02/03/23-00:27:57.519906
SID:	2816766
Source Port:	49704
Destination Port:	10001
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 184.105.237.195

Timestamp:	192.168.2.4184.105.237.19549708100012816766 02/03/23-00:28:19.942981
SID:	2816766
Source Port:	49708
Destination Port:	10001
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 184.105.237.195

Timestamp:	192.168.2.4184.105.237.19549709100012816766 02/03/23-00:28:26.847077
SID:	2816766
Source Port:	49709
Destination Port:	10001
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon - Source IP: 192.168.2.4 - Destination IP: 184.105.237.195

Timestamp:	192.168.2.4184.105.237.19549697100012816718 02/03/23-00:27:12.093478
SID:	2816718
Source Port:	49697
Destination Port:	10001
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 184.105.237.195

Timestamp:	192.168.2.4184.105.237.19549704100012025019 02/03/23-00:27:55.553197
SID:	2025019
Source Port:	49704
Destination Port:	10001
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 184.105.237.195

Timestamp:	192.168.2.4184.105.237.19549715100012025019 02/03/23-00:29:04.002318
SID:	2025019
Source Port:	49715
Destination Port:	10001
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 184.105.237.195

Timestamp:	192.168.2.4184.105.237.19549702100012816766 02/03/23-00:27:44.172937
SID:	2816766
Source Port:	49702
Destination Port:	10001
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon - Source IP: 192.168.2.4 - Destination IP: 184.105.237.195

Timestamp:	192.168.2.4184.105.237.19549708100012816718 02/03/23-00:28:19.942981
SID:	2816718
Source Port:	49708
Destination Port:	10001
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	ReversingLabs: Detection: 82%
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Virustotal: Detection: 73%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Avira: detection malicious, Label: HEUR/AGEN.1202153
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Avira: detection malicious, Label: HEUR/AGEN.1202153

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 82%
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Virustotal: Detection: 73%	Perma Link
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	ReversingLabs: Detection: 82%

Yara detected Nanocore RAT

Source: Yara match	File source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e10000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.466ea9c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e10000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.46730c5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e14629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.466ea9c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.4669c66.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.343692976.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.355128673.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.311567488.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.579080815.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.342518655.0000000003621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.342969185.0000000004621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.332550764.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe PID: 5724, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe PID: 5244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hbVCUlv.exe PID: 1228, type: MEMORYSTR

Machine Learning detection for sample

Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected

Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e10000.6.unpack	Avira: Label: TR/NanoCore.fadte

Source: 00000010.00000002.343692976.0000000002801000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "10210cfb-2ea1-47f3-8c75-6fce83e4", "Group": "oob", "Domain1": "brianbriano.ddns.net", "Domain2": "127.0.0.1", "Port": 10001, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Cassandra\Desktop\Premium\CyaX\CyaX\obj\Debug\CyaX.pdb source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000000.00000002.307508938.0000000002B6A000.00000004.00000800.00020000.00000000.sdmp, 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000000.00000002.314578400.0000000005E90000.00000004.08000000.00040000.00000000.sdmp, 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000008.00000002.318734843.0000000002ECA000.00000004.00000800.00020000.00000000.sdmp, hbVCUlv.exe, 00000009.00000002.331266992.000000000371A000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000D.00000002.324082470.000000000315A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cassandra\Desktop\Premium\CyaX\CyaX\obj\Debug\CyaX.pdbTDnD `D_CorDllMainmscoree.dll source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000000.00000002.307508938.0000000002B6A000.00000004.00000800.00020000.00000000.sdmp, 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000000.00000002.314578400.0000000005E90000.00000004.08000000.00040000.00000000.sdmp, 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000008.00000002.318734843.0000000002ECA000.00000004.00000800.00020000.00000000.sdmp, hbVCUlv.exe, 00000009.00000002.331266992.000000000371A000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000D.00000002.324082470.000000000315A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000003.00000002.572467871.00000000012F5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Sako\source\repos\NvidiaCatalysts\NvidiaCatalysts\obj\Debug\NvidiaCatalysts.pdb source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000000.00000002.307508938.0000000002DDC000.00000004.00000800.00020000.00000000.sdmp, 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000000.00000002.313010978.0000000004D40000.00000004.08000000.00040000.00000000.sdmp, hbVCUlv.exe, 00000009.00000002.331266992.000000000398C000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000D.00000002.324082470.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000014.00000002.349071481.0000000002C91000.00000004.00000800.00020000.00000000.sdmp

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49696 -> 184.105.237.195:10001
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49696 -> 184.105.237.195:10001
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49697 -> 184.105.237.195:10001
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49697 -> 184.105.237.195:10001
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.4:49697 -> 184.105.237.195:10001
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49698 -> 184.105.237.195:10001
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49698 -> 184.105.237.195:10001
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49702 -> 184.105.237.195:10001
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49702 -> 184.105.237.195:10001
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49703 -> 184.105.237.195:10001
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49703 -> 184.105.237.195:10001
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49704 -> 184.105.237.195:10001
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49704 -> 184.105.237.195:10001
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49708 -> 184.105.237.195:10001
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49708 -> 184.105.237.195:10001
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.4:49708 -> 184.105.237.195:10001
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49709 -> 184.105.237.195:10001
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49709 -> 184.105.237.195:10001
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49710 -> 184.105.237.195:10001
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49710 -> 184.105.237.195:10001
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49714 -> 184.105.237.195:10001
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49714 -> 184.105.237.195:10001
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49715 -> 184.105.237.195:10001
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49715 -> 184.105.237.195:10001

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: brianbriano.ddns.net
Source: Malware configuration extractor	URLs: 127.0.0.1

Uses dynamic DNS services

Source: unknown

DNS query: name: brianbriano.ddns.net

Source: Joe Sandbox View

ASN Name: RVBA2016US RVBA2016US

Source: Joe Sandbox View

IP Address: 184.105.237.195 184.105.237.195

Source: global traffic

TCP traffic: 192.168.2.4:49696 -> 184.105.237.195:10001

Source: unknown

DNS traffic detected: queries for: brianbriano.ddns.net

Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe

Code function: 3_2_05443242 WSARecv,

Source: hbVCUlv.exe, 00000009.00000002.329810050.00000000015AA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000003.00000002.579080815.0000000005E10000.00000004.08000000.00040000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e10000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.466ea9c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e10000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.46730c5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e14629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.466ea9c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.4669c66.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.343692976.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.355128673.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.311567488.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.579080815.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.342518655.0000000003621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.342969185.0000000004621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.332550764.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe PID: 5724, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe PID: 5244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hbVCUlv.exe PID: 1228, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e90000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables packed with Cassandra/CyaX Author: ditekSHen
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 9.2.hbVCUlv.exe.3731598.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables packed with Cassandra/CyaX Author: ditekSHen
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e10000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e10000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e10000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3cfb720.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables packed with Cassandra/CyaX Author: ditekSHen
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.466ea9c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.466ea9c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.466ea9c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.51d0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables packed with Cassandra/CyaX Author: ditekSHen
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e10000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e10000.6.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e10000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.46730c5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.46730c5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.46730c5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e90000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables packed with Cassandra/CyaX Author: ditekSHen
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e14629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e14629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e14629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 8.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.2ee1600.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables packed with Cassandra/CyaX Author: ditekSHen
Source: 8.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.2ee1600.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables packed with Cassandra/CyaX Author: ditekSHen
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.2b845cc.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables packed with Cassandra/CyaX Author: ditekSHen
Source: 9.2.hbVCUlv.exe.3731598.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables packed with Cassandra/CyaX Author: ditekSHen
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3cfb720.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables packed with Cassandra/CyaX Author: ditekSHen
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.2b845cc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables packed with Cassandra/CyaX Author: ditekSHen
Source: 13.2.dhcpmon.exe.31715b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables packed with Cassandra/CyaX Author: ditekSHen
Source: 19.2.hbVCUlv.exe.31739fc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.hbVCUlv.exe.31739fc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.hbVCUlv.exe.31739fc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.466ea9c.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.466ea9c.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.466ea9c.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.dhcpmon.exe.31715b8.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables packed with Cassandra/CyaX Author: ditekSHen
Source: 16.2.dhcpmon.exe.2823ac8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 16.2.dhcpmon.exe.2823ac8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 16.2.dhcpmon.exe.2823ac8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.51d0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables packed with Cassandra/CyaX Author: ditekSHen
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5b70000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5b70000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5b70000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3643ba4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3643ba4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3643ba4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.32116b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.32116b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.32116b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.4669c66.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.4669c66.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.4669c66.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.4669c66.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000010.00000002.343692976.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.343692976.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000013.00000002.355128673.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.355128673.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.578951789.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000003.00000002.578951789.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.578951789.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.314033178.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables packed with Cassandra/CyaX Author: ditekSHen
Source: 00000000.00000002.311567488.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000002.311567488.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.311567488.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.314578400.0000000005E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables packed with Cassandra/CyaX Author: ditekSHen
Source: 00000003.00000002.573594094.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.579080815.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000003.00000002.579080815.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.579080815.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000C.00000002.342518655.0000000003621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.342518655.0000000003621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000C.00000002.342969185.0000000004621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.342969185.0000000004621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000C.00000002.332550764.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000C.00000002.332550764.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.332550764.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe PID: 5724, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe PID: 5724, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe PID: 5244, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe PID: 5244, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe PID: 5244, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: dhcpmon.exe PID: 6088, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6088, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: hbVCUlv.exe PID: 1228, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: hbVCUlv.exe PID: 1228, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown

Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e90000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_EXE_Packed_Cassandra author = ditekSHen, description = Detects executables packed with Cassandra/CyaX
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 9.2.hbVCUlv.exe.3731598.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_EXE_Packed_Cassandra author = ditekSHen, description = Detects executables packed with Cassandra/CyaX
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e10000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e10000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e10000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e10000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3cfb720.2.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, score = 2021-01-22, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2021-01-25
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3cfb720.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_EXE_Packed_Cassandra author = ditekSHen, description = Detects executables packed with Cassandra/CyaX
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.466ea9c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.466ea9c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.466ea9c.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.466ea9c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.51d0000.5.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, score = 2021-01-22, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2021-01-25
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.51d0000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_EXE_Packed_Cassandra author = ditekSHen, description = Detects executables packed with Cassandra/CyaX
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e10000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e10000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e10000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e10000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.46730c5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.46730c5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.46730c5.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.46730c5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e90000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_EXE_Packed_Cassandra author = ditekSHen, description = Detects executables packed with Cassandra/CyaX
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e14629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e14629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e14629.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e14629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 8.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.2ee1600.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_EXE_Packed_Cassandra author = ditekSHen, description = Detects executables packed with Cassandra/CyaX
Source: 8.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.2ee1600.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_EXE_Packed_Cassandra author = ditekSHen, description = Detects executables packed with Cassandra/CyaX
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.2b845cc.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_EXE_Packed_Cassandra author = ditekSHen, description = Detects executables packed with Cassandra/CyaX
Source: 9.2.hbVCUlv.exe.3731598.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_EXE_Packed_Cassandra author = ditekSHen, description = Detects executables packed with Cassandra/CyaX
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3cfb720.2.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, score = 2021-01-22, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2021-01-25
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3cfb720.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_EXE_Packed_Cassandra author = ditekSHen, description = Detects executables packed with Cassandra/CyaX
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.2b845cc.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_EXE_Packed_Cassandra author = ditekSHen, description = Detects executables packed with Cassandra/CyaX
Source: 13.2.dhcpmon.exe.31715b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_EXE_Packed_Cassandra author = ditekSHen, description = Detects executables packed with Cassandra/CyaX
Source: 19.2.hbVCUlv.exe.31739fc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.hbVCUlv.exe.31739fc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.hbVCUlv.exe.31739fc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.hbVCUlv.exe.31739fc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.466ea9c.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.466ea9c.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.466ea9c.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.466ea9c.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.dhcpmon.exe.31715b8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_EXE_Packed_Cassandra author = ditekSHen, description = Detects executables packed with Cassandra/CyaX
Source: 16.2.dhcpmon.exe.2823ac8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.dhcpmon.exe.2823ac8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.dhcpmon.exe.2823ac8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 16.2.dhcpmon.exe.2823ac8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.51d0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, score = 2021-01-22, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2021-01-25
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.51d0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_EXE_Packed_Cassandra author = ditekSHen, description = Detects executables packed with Cassandra/CyaX
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5b70000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5b70000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5b70000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5b70000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3643ba4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3643ba4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3643ba4.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3643ba4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.32116b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.32116b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.32116b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.32116b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.4669c66.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.4669c66.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.4669c66.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.4669c66.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.4669c66.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000010.00000002.343692976.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.343692976.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000013.00000002.355128673.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.355128673.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.578951789.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.578951789.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.578951789.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.578951789.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.314033178.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, score = 2021-01-22, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2021-01-25
Source: 00000000.00000002.314033178.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_EXE_Packed_Cassandra author = ditekSHen, description = Detects executables packed with Cassandra/CyaX
Source: 00000000.00000002.311567488.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.311567488.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.311567488.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.314578400.0000000005E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_EXE_Packed_Cassandra author = ditekSHen, description = Detects executables packed with Cassandra/CyaX
Source: 00000003.00000002.573594094.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.579080815.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.579080815.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.579080815.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.579080815.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000C.00000002.342518655.0000000003621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.342518655.0000000003621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000C.00000002.342969185.0000000004621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.342969185.0000000004621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000C.00000002.332550764.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000C.00000002.332550764.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.332550764.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe PID: 5724, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe PID: 5724, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe PID: 5244, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe PID: 5244, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe PID: 5244, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: dhcpmon.exe PID: 6088, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6088, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: hbVCUlv.exe PID: 1228, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: hbVCUlv.exe PID: 1228, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 0_2_04D53C4B
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 0_2_04D53468
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 0_2_04D5D198
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 0_2_04D54551
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 0_2_04D51D70
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 0_2_04D5D6B8
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 0_2_04D5E230
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 0_2_04D5DBC0
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 0_2_04D5A4F8
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 0_2_04D5C490
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 0_2_04D53441
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 0_2_04D54063
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 0_2_04D55DC0
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 0_2_04D529BC
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 0_2_04D57100
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 0_2_04D57530
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 0_2_04D572D0
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 0_2_04D59ACB
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 0_2_04D572E0
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 0_2_04D5CA00
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 0_2_04D513DB
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 0_2_04D557E4
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 0_2_04D5CFA0
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 0_2_04D59B5A
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 0_2_04D59F40
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 0_2_04D57708
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 0_2_04D5AF28
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 3_2_053289D8
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 3_2_05323850
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 3_2_053223A0
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 3_2_05322FA8
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 3_2_0532B2A8
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 3_2_053295D8
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 3_2_0532306F
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 3_2_053232BB
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 3_2_0532969F
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_05064560
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_05061D80
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_05063C58
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_05063468
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_0506D4A8
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_0506DB18
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_0506CFA0
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_0506BFD8
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_05067100
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_05067522
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_05067530
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_05064551
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_050629B1
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_050629C0
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_05063411
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_05063442
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_05063C4A
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_05064061
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_05064070
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_0506C490
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_0506A4A8
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_0506A4F8
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_05067708
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_05067718
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_0506AF28
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_05069F30
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_05069F40
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_05069B6A
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_0506D768
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_050613DB
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_050657D9
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_050657E8
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_0506ABF0
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_0506CA00
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_050672D0
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_050672E0
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019E1D80
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019E4560
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019ED4A8
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019E3C58
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019E3468
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019ECFA0
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019EBFD8
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019EDB18
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019EB180
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019E29B1
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019E29C0
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019E7100
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019E7530
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019E7522
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019E4551
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019EC490
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019EA4F8
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019E70F0
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019E3C4A
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019E4070
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019E4061
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019E13DB
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019E57D9
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019E33C8
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019EABF0
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019E57E8
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019E7718
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019E7708
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019E9F30
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019EAF28
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019E9F40
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019ED768
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019E72D0
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019E72E0
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019ECA00
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 12_2_05783850
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 12_2_05782FA8
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 12_2_057823A0
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 12_2_0578306F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_05351D70
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_05354551
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_05353468
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_05353C4A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_0535D4A8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_0535DB18
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_0535CFA0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_0535BFD8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_05357530
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_05357522
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_05357100
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_053529B1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_053599A6
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_05354061
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_05353442
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_0535C490
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_053570F0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_0535A4F8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_0535AF28
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_05359F40
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_053533DE
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_053557D9
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_053513DB
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_0535CA00
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_053572E0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_053572D0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_053552DF
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_053576C8

Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 3_2_05441BB2 NtQuerySystemInformation,
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 3_2_05441B77 NtQuerySystemInformation,

Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: hbVCUlv.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	ReversingLabs: Detection: 82%
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Virustotal: Detection: 73%

Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe

File read: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe

Jump to behavior

Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbVCUlv" /XML "C:\Users\user\AppData\Local\Temp\tmp9381.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process created: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpBC6A.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpBDD3.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe 0
Source: unknown	Process created: C:\Users\user\AppData\Roaming\hbVCUlv.exe C:\Users\user\AppData\Roaming\hbVCUlv.exe
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbVCUlv" /XML "C:\Users\user\AppData\Local\Temp\tmpA582.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process created: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbVCUlv" /XML "C:\Users\user\AppData\Local\Temp\tmpA776.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbVCUlv" /XML "C:\Users\user\AppData\Local\Temp\tmp8DA5.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process created: C:\Users\user\AppData\Roaming\hbVCUlv.exe C:\Users\user\AppData\Roaming\hbVCUlv.exe
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbVCUlv" /XML "C:\Users\user\AppData\Local\Temp\tmpCABE.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbVCUlv" /XML "C:\Users\user\AppData\Local\Temp\tmp9381.tmp
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process created: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpBC6A.tmp
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpBDD3.tmp
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbVCUlv" /XML "C:\Users\user\AppData\Local\Temp\tmpA582.tmp
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process created: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbVCUlv" /XML "C:\Users\user\AppData\Local\Temp\tmp8DA5.tmp
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process created: C:\Users\user\AppData\Roaming\hbVCUlv.exe C:\Users\user\AppData\Roaming\hbVCUlv.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbVCUlv" /XML "C:\Users\user\AppData\Local\Temp\tmpA776.tmp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbVCUlv" /XML "C:\Users\user\AppData\Local\Temp\tmpCABE.tmp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 3_2_05441972 AdjustTokenPrivileges,
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 3_2_0544193B AdjustTokenPrivileges,

Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe

File created: C:\Users\user\AppData\Roaming\hbVCUlv.exe

Jump to behavior

Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe

File created: C:\Users\user\AppData\Local\Temp\tmp9381.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@36/16@11/2

Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1504:120:WilError_01
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{10210cfb-2ea1-47f3-8c75-6fce83e45536}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5232:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:640:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6076:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1236:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2024:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:476:120:WilError_01

Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Cassandra\Desktop\Premium\CyaX\CyaX\obj\Debug\CyaX.pdb source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000000.00000002.307508938.0000000002B6A000.00000004.00000800.00020000.00000000.sdmp, 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000000.00000002.314578400.0000000005E90000.00000004.08000000.00040000.00000000.sdmp, 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000008.00000002.318734843.0000000002ECA000.00000004.00000800.00020000.00000000.sdmp, hbVCUlv.exe, 00000009.00000002.331266992.000000000371A000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000D.00000002.324082470.000000000315A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cassandra\Desktop\Premium\CyaX\CyaX\obj\Debug\CyaX.pdbTDnD `D_CorDllMainmscoree.dll source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000000.00000002.307508938.0000000002B6A000.00000004.00000800.00020000.00000000.sdmp, 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000000.00000002.314578400.0000000005E90000.00000004.08000000.00040000.00000000.sdmp, 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000008.00000002.318734843.0000000002ECA000.00000004.00000800.00020000.00000000.sdmp, hbVCUlv.exe, 00000009.00000002.331266992.000000000371A000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000D.00000002.324082470.000000000315A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000003.00000002.572467871.00000000012F5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Sako\source\repos\NvidiaCatalysts\NvidiaCatalysts\obj\Debug\NvidiaCatalysts.pdb source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000000.00000002.307508938.0000000002DDC000.00000004.00000800.00020000.00000000.sdmp, 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000000.00000002.313010978.0000000004D40000.00000004.08000000.00040000.00000000.sdmp, hbVCUlv.exe, 00000009.00000002.331266992.000000000398C000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000D.00000002.324082470.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000014.00000002.349071481.0000000002C91000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, MDXBuilderLibrary/mdx/customs.sap/OamwprvrocOJZnNrAmQoLkQzciYnGqbYgJj.cs	.Net Code: qxkGUihlCJoTUsiRmINKakbBkAYUkuvqVcD System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: hbVCUlv.exe.0.dr, MDXBuilderLibrary/mdx/customs.sap/OamwprvrocOJZnNrAmQoLkQzciYnGqbYgJj.cs	.Net Code: qxkGUihlCJoTUsiRmINKakbBkAYUkuvqVcD System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.500000.0.unpack, MDXBuilderLibrary/mdx/customs.sap/OamwprvrocOJZnNrAmQoLkQzciYnGqbYgJj.cs	.Net Code: qxkGUihlCJoTUsiRmINKakbBkAYUkuvqVcD System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: dhcpmon.exe.3.dr, MDXBuilderLibrary/mdx/customs.sap/OamwprvrocOJZnNrAmQoLkQzciYnGqbYgJj.cs	.Net Code: qxkGUihlCJoTUsiRmINKakbBkAYUkuvqVcD System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 0_2_04D5842B push ebp; iretd
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 0_2_04D52D0F push eax; ret
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 3_2_01319D74 push eax; retf
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 3_2_01319D78 pushad ; retf
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_0506842B push ebp; iretd
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 8_2_05062CFD push eax; ret
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019E2D0F push eax; ret
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Code function: 9_2_019E842B push ebp; iretd
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 12_2_016A2BAD push 00000001h; ret
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_0535842B push ebp; iretd
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_05352CFD push eax; ret

Source: initial sample	Static PE information: section name: .text entropy: 7.954638266049198
Source: initial sample	Static PE information: section name: .text entropy: 7.954638266049198
Source: initial sample	Static PE information: section name: .text entropy: 7.954638266049198

Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, MDXBuilderLibrary/mdx/hYjztwlHalratuEEXrgEdjRuSEaXIDhor.cs	High entropy of concatenated method names: 'qfhRjEZoBmHHgAuEThlXpPUOCioHGubpjynu', 'qjsafFJQsqccTFnSJqIcimYDXAtNjzwwWkeN', 'uDEkyqWoXGysovpGfWgAujswYWYJKWRzEGnt', 'tTWuYDwPjgILtYSWzoAQOEUqJgdGdINjhRu', 'msyjRUfRlxCuBiscHvzcjREXDgEwOWVSuHT', 'kSQNgYPoETokzqwKLVipXOaRhtsZJvaNiELO', '.ctor', 'WcKjEmIXNlXadilcqmLauzSXvHrXZxSlZ', 'JlEAKuzlbepEGlheqolAINakbWRTxXvom', 'pBGrzvtuSUwHahONhsPiKPWlDlcSGBHEmpeC'
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, MDXBuilderLibrary/mdx/customs.sap/XXeWeEglvjQktonzXhCTIjJiTcahnsNdq.cs	High entropy of concatenated method names: '.ctor', '.ctor', 'QURgdwyLfCIfiFZDfQgtUtZWWYZzkXSyeyri', 'QbZDkIDNcpEomWODPjXhrrdDnbGLChjImrT', 'GoPsvbRWwRIwWBjTDqmgbsigLLLeyLXOv', 'STIWOGXwVnvYBvxhgPIGhERDXdVyeQJJIGL', 'yZthNsErVZVYyqKzgCHGpqXUvKGNvUYBpR', 'voXffePzeOHqPGhyAuoZacDQWupKkRNajx', 'SBUURBBAVFruSFjpEJfUmwxzSuKJwbOYPgrk', 'ngeANWcCjSvhLbWOqlkGdpyyFHqZqBVAEv'
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, MDXBuilderLibrary/mdx/customs.sap/XFPcyOixxYugHBqLtySoJiQIRUtuezDVrZQ.cs	High entropy of concatenated method names: 'PyYpzdKsjrdgNgiQbFIJqsQYwlHFQJTaVmv', 'pHelfmkwACXpeglIPkBSKyVixwdSWBVeF', 'dXCpGbNnZULUQlwUojGiOqgRRCUAUbAtIbvg', 'CrbIuGShxeHphIZwjAtYzWdUhYkcqrHBuDl', 'QdIsQtNcJScnuDBRRsDVNOAExGNaRNQUEd', 'dPLqBGnivUzuUVVuQBOAyHmNiwZqWOokh', 'JAlDgJtdqlVUqTJaxQDKVPmiNVGCWsitxVA', 'hjBgqGWldQjKUoGcofuFnkOEkjRerdyue', 'qxeTROOsFopHDpZsiRBWwTHycICdrcarWGi'
Source: hbVCUlv.exe.0.dr, MDXBuilderLibrary/mdx/hYjztwlHalratuEEXrgEdjRuSEaXIDhor.cs	High entropy of concatenated method names: 'qfhRjEZoBmHHgAuEThlXpPUOCioHGubpjynu', 'qjsafFJQsqccTFnSJqIcimYDXAtNjzwwWkeN', 'uDEkyqWoXGysovpGfWgAujswYWYJKWRzEGnt', 'tTWuYDwPjgILtYSWzoAQOEUqJgdGdINjhRu', 'msyjRUfRlxCuBiscHvzcjREXDgEwOWVSuHT', 'kSQNgYPoETokzqwKLVipXOaRhtsZJvaNiELO', '.ctor', 'WcKjEmIXNlXadilcqmLauzSXvHrXZxSlZ', 'JlEAKuzlbepEGlheqolAINakbWRTxXvom', 'pBGrzvtuSUwHahONhsPiKPWlDlcSGBHEmpeC'
Source: hbVCUlv.exe.0.dr, MDXBuilderLibrary/mdx/customs.sap/XFPcyOixxYugHBqLtySoJiQIRUtuezDVrZQ.cs	High entropy of concatenated method names: 'PyYpzdKsjrdgNgiQbFIJqsQYwlHFQJTaVmv', 'pHelfmkwACXpeglIPkBSKyVixwdSWBVeF', 'dXCpGbNnZULUQlwUojGiOqgRRCUAUbAtIbvg', 'CrbIuGShxeHphIZwjAtYzWdUhYkcqrHBuDl', 'QdIsQtNcJScnuDBRRsDVNOAExGNaRNQUEd', 'dPLqBGnivUzuUVVuQBOAyHmNiwZqWOokh', 'JAlDgJtdqlVUqTJaxQDKVPmiNVGCWsitxVA', 'hjBgqGWldQjKUoGcofuFnkOEkjRerdyue', 'qxeTROOsFopHDpZsiRBWwTHycICdrcarWGi'
Source: hbVCUlv.exe.0.dr, MDXBuilderLibrary/mdx/customs.sap/XXeWeEglvjQktonzXhCTIjJiTcahnsNdq.cs	High entropy of concatenated method names: '.ctor', '.ctor', 'QURgdwyLfCIfiFZDfQgtUtZWWYZzkXSyeyri', 'QbZDkIDNcpEomWODPjXhrrdDnbGLChjImrT', 'GoPsvbRWwRIwWBjTDqmgbsigLLLeyLXOv', 'STIWOGXwVnvYBvxhgPIGhERDXdVyeQJJIGL', 'yZthNsErVZVYyqKzgCHGpqXUvKGNvUYBpR', 'voXffePzeOHqPGhyAuoZacDQWupKkRNajx', 'SBUURBBAVFruSFjpEJfUmwxzSuKJwbOYPgrk', 'ngeANWcCjSvhLbWOqlkGdpyyFHqZqBVAEv'
Source: 0.0.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.500000.0.unpack, MDXBuilderLibrary/mdx/hYjztwlHalratuEEXrgEdjRuSEaXIDhor.cs	High entropy of concatenated method names: 'qfhRjEZoBmHHgAuEThlXpPUOCioHGubpjynu', 'qjsafFJQsqccTFnSJqIcimYDXAtNjzwwWkeN', 'uDEkyqWoXGysovpGfWgAujswYWYJKWRzEGnt', 'tTWuYDwPjgILtYSWzoAQOEUqJgdGdINjhRu', 'msyjRUfRlxCuBiscHvzcjREXDgEwOWVSuHT', 'kSQNgYPoETokzqwKLVipXOaRhtsZJvaNiELO', '.ctor', 'WcKjEmIXNlXadilcqmLauzSXvHrXZxSlZ', 'JlEAKuzlbepEGlheqolAINakbWRTxXvom', 'pBGrzvtuSUwHahONhsPiKPWlDlcSGBHEmpeC'
Source: 0.0.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.500000.0.unpack, MDXBuilderLibrary/mdx/customs.sap/XXeWeEglvjQktonzXhCTIjJiTcahnsNdq.cs	High entropy of concatenated method names: '.ctor', '.ctor', 'QURgdwyLfCIfiFZDfQgtUtZWWYZzkXSyeyri', 'QbZDkIDNcpEomWODPjXhrrdDnbGLChjImrT', 'GoPsvbRWwRIwWBjTDqmgbsigLLLeyLXOv', 'STIWOGXwVnvYBvxhgPIGhERDXdVyeQJJIGL', 'yZthNsErVZVYyqKzgCHGpqXUvKGNvUYBpR', 'voXffePzeOHqPGhyAuoZacDQWupKkRNajx', 'SBUURBBAVFruSFjpEJfUmwxzSuKJwbOYPgrk', 'ngeANWcCjSvhLbWOqlkGdpyyFHqZqBVAEv'
Source: 0.0.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.500000.0.unpack, MDXBuilderLibrary/mdx/customs.sap/XFPcyOixxYugHBqLtySoJiQIRUtuezDVrZQ.cs	High entropy of concatenated method names: 'PyYpzdKsjrdgNgiQbFIJqsQYwlHFQJTaVmv', 'pHelfmkwACXpeglIPkBSKyVixwdSWBVeF', 'dXCpGbNnZULUQlwUojGiOqgRRCUAUbAtIbvg', 'CrbIuGShxeHphIZwjAtYzWdUhYkcqrHBuDl', 'QdIsQtNcJScnuDBRRsDVNOAExGNaRNQUEd', 'dPLqBGnivUzuUVVuQBOAyHmNiwZqWOokh', 'JAlDgJtdqlVUqTJaxQDKVPmiNVGCWsitxVA', 'hjBgqGWldQjKUoGcofuFnkOEkjRerdyue', 'qxeTROOsFopHDpZsiRBWwTHycICdrcarWGi'
Source: dhcpmon.exe.3.dr, MDXBuilderLibrary/mdx/hYjztwlHalratuEEXrgEdjRuSEaXIDhor.cs	High entropy of concatenated method names: 'qfhRjEZoBmHHgAuEThlXpPUOCioHGubpjynu', 'qjsafFJQsqccTFnSJqIcimYDXAtNjzwwWkeN', 'uDEkyqWoXGysovpGfWgAujswYWYJKWRzEGnt', 'tTWuYDwPjgILtYSWzoAQOEUqJgdGdINjhRu', 'msyjRUfRlxCuBiscHvzcjREXDgEwOWVSuHT', 'kSQNgYPoETokzqwKLVipXOaRhtsZJvaNiELO', '.ctor', 'WcKjEmIXNlXadilcqmLauzSXvHrXZxSlZ', 'JlEAKuzlbepEGlheqolAINakbWRTxXvom', 'pBGrzvtuSUwHahONhsPiKPWlDlcSGBHEmpeC'
Source: dhcpmon.exe.3.dr, MDXBuilderLibrary/mdx/customs.sap/XXeWeEglvjQktonzXhCTIjJiTcahnsNdq.cs	High entropy of concatenated method names: '.ctor', '.ctor', 'QURgdwyLfCIfiFZDfQgtUtZWWYZzkXSyeyri', 'QbZDkIDNcpEomWODPjXhrrdDnbGLChjImrT', 'GoPsvbRWwRIwWBjTDqmgbsigLLLeyLXOv', 'STIWOGXwVnvYBvxhgPIGhERDXdVyeQJJIGL', 'yZthNsErVZVYyqKzgCHGpqXUvKGNvUYBpR', 'voXffePzeOHqPGhyAuoZacDQWupKkRNajx', 'SBUURBBAVFruSFjpEJfUmwxzSuKJwbOYPgrk', 'ngeANWcCjSvhLbWOqlkGdpyyFHqZqBVAEv'
Source: dhcpmon.exe.3.dr, MDXBuilderLibrary/mdx/customs.sap/XFPcyOixxYugHBqLtySoJiQIRUtuezDVrZQ.cs	High entropy of concatenated method names: 'PyYpzdKsjrdgNgiQbFIJqsQYwlHFQJTaVmv', 'pHelfmkwACXpeglIPkBSKyVixwdSWBVeF', 'dXCpGbNnZULUQlwUojGiOqgRRCUAUbAtIbvg', 'CrbIuGShxeHphIZwjAtYzWdUhYkcqrHBuDl', 'QdIsQtNcJScnuDBRRsDVNOAExGNaRNQUEd', 'dPLqBGnivUzuUVVuQBOAyHmNiwZqWOokh', 'JAlDgJtdqlVUqTJaxQDKVPmiNVGCWsitxVA', 'hjBgqGWldQjKUoGcofuFnkOEkjRerdyue', 'qxeTROOsFopHDpZsiRBWwTHycICdrcarWGi'
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	File created: C:\Users\user\AppData\Roaming\hbVCUlv.exe			Jump to dropped file
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbVCUlv" /XML "C:\Users\user\AppData\Local\Temp\tmp9381.tmp

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe

File opened: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected Cassandra Crypter

Source: Yara match	File source: 9.2.hbVCUlv.exe.3731598.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e90000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.2ee1600.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.2b845cc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.dhcpmon.exe.31715b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.307508938.0000000002B6A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.318734843.0000000002ECA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.331266992.000000000371A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.314578400.0000000005E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.324082470.000000000315A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe PID: 1228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe PID: 1900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hbVCUlv.exe PID: 6028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 4788, type: MEMORYSTR

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe PID: 1228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe PID: 1900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hbVCUlv.exe PID: 6028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 4788, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000000.00000002.307508938.0000000002B46000.00000004.00000800.00020000.00000000.sdmp, 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000008.00000002.318734843.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp, hbVCUlv.exe, 00000009.00000002.331266992.00000000036F6000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000D.00000002.324082470.0000000003136000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000014.00000002.349071481.0000000002836000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000000.00000002.307508938.0000000002B46000.00000004.00000800.00020000.00000000.sdmp, 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000008.00000002.318734843.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp, hbVCUlv.exe, 00000009.00000002.331266992.00000000036F6000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000D.00000002.324082470.0000000003136000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000014.00000002.349071481.0000000002836000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe TID: 5020	Thread sleep time: -57196s >= -30000s
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe TID: 5224	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe TID: 3000	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe TID: 6104	Thread sleep time: -40000s >= -30000s
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe TID: 4440	Thread sleep time: -57736s >= -30000s
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe TID: 6068	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe TID: 4696	Thread sleep time: -46876s >= -30000s
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe TID: 3860	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe TID: 3292	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2160	Thread sleep time: -55185s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2344	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1888	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe TID: 3832	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2120	Thread sleep time: -52766s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4440	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6044	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe

Window / User API: foregroundWindowGot 968

Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe

Code function: 3_2_0544169A GetSystemInfo,

Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Thread delayed: delay time: 57196
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Thread delayed: delay time: 57736
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Thread delayed: delay time: 46876
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 55185
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 52766
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: dhcpmon.exe, 00000014.00000002.349071481.0000000002836000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II,SOFTWARE\Microsoft\Windows Defender\Features
Source: dhcpmon.exe, 00000014.00000002.349071481.0000000002836000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: dhcpmon.exe, 00000014.00000002.349071481.0000000002836000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 00000014.00000002.349071481.0000000002836000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: dhcpmon.exe, 00000014.00000002.349071481.0000000002836000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: dhcpmon.exe, 00000014.00000002.349071481.0000000002836000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 00000014.00000002.349071481.0000000002836000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: dhcpmon.exe, 00000014.00000002.349071481.0000000002836000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: dhcpmon.exe, 00000014.00000002.349071481.0000000002836000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000003.00000002.571610675.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: dhcpmon.exe, 00000014.00000002.347724661.0000000000A91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5

Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Memory written: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Memory written: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Memory written: C:\Users\user\AppData\Roaming\hbVCUlv.exe base: 400000 value starts with: 4D5A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 540000 value starts with: 4D5A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbVCUlv" /XML "C:\Users\user\AppData\Local\Temp\tmp9381.tmp
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process created: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpBC6A.tmp
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpBDD3.tmp
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbVCUlv" /XML "C:\Users\user\AppData\Local\Temp\tmpA582.tmp
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Process created: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbVCUlv" /XML "C:\Users\user\AppData\Local\Temp\tmp8DA5.tmp
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	Process created: C:\Users\user\AppData\Roaming\hbVCUlv.exe C:\Users\user\AppData\Roaming\hbVCUlv.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbVCUlv" /XML "C:\Users\user\AppData\Local\Temp\tmpA776.tmp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbVCUlv" /XML "C:\Users\user\AppData\Local\Temp\tmpCABE.tmp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000003.00000003.568357936.0000000001197000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managern has been aborted because of either a thread exit or an application request.
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000003.00000003.540573184.000000000118D000.00000004.00000020.00020000.00000000.sdmp, 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000003.00000002.573594094.000000000328D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager(
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000003.00000003.540573184.000000000118D000.00000004.00000020.00020000.00000000.sdmp, 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000003.00000003.568357936.0000000001191000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000003.00000002.573594094.000000000346B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager4F
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000003.00000002.571610675.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager}

Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe

Code function: 0_2_00E4BE16 GetUserNameW,

Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\hbVCUlv.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000008.00000002.317270185.000000000105D000.00000004.00000020.00020000.00000000.sdmp, hbVCUlv.exe, 00000009.00000002.329810050.000000000162C000.00000004.00000020.00020000.00000000.sdmp, hbVCUlv.exe, 00000009.00000002.329810050.0000000001609000.00000004.00000020.00020000.00000000.sdmp, dhcpmon.exe, 00000014.00000002.347724661.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e10000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.466ea9c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e10000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.46730c5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e14629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.466ea9c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.4669c66.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.343692976.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.355128673.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.311567488.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.579080815.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.342518655.0000000003621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.342969185.0000000004621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.332550764.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe PID: 5724, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe PID: 5244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hbVCUlv.exe PID: 1228, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000003.00000002.578951789.0000000005B70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000003.00000002.578951789.0000000005B70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000003.00000002.573594094.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000003.00000002.573594094.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000003.00000002.579080815.0000000005E10000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 0000000C.00000002.342518655.0000000003621000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 0000000C.00000002.342518655.0000000003621000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 0000000C.00000002.342969185.0000000004621000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 0000000C.00000002.342969185.0000000004621000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 0000000C.00000002.332550764.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000010.00000002.343692976.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000010.00000002.343692976.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: hbVCUlv.exe, 00000013.00000002.355128673.0000000003151000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: hbVCUlv.exe, 00000013.00000002.355128673.0000000003151000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Source: Yara match	File source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e10000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.466ea9c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e10000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.46730c5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e14629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.466ea9c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.4669c66.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.3c1e2c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.343692976.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.355128673.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.311567488.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.579080815.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.342518655.0000000003621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.342969185.0000000004621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.332550764.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe PID: 5724, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe PID: 5244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hbVCUlv.exe PID: 1228, type: MEMORYSTR

Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 3_2_05442D86 bind,
Source: C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Code function: 3_2_05442D34 bind,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	1 Scheduled Task/Job	1 Access Token Manipulation	1 Disable or Modify Tools	21 Input Capture	1 Account Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scheduled Task/Job	Boot or Logon Initialization Scripts	112 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	21 Input Capture	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 Scheduled Task/Job	2 Obfuscated Files or Information	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	13 Software Packing	NTDS	221 Security Software Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Remote Access Software	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Masquerading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Data Transfer Size Limits	1 Non-Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	21 Virtualization/Sandbox Evasion	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	21 Application Layer Protocol	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	112 Process Injection	Proc Filesystem	1 System Owner/User Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	82%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	74%	Virustotal		Browse
646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	100%	Avira	HEUR/AGEN.1202153
646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\hbVCUlv.exe	100%	Avira	HEUR/AGEN.1202153
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Avira	HEUR/AGEN.1202153
C:\Users\user\AppData\Roaming\hbVCUlv.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	82%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	74%	Virustotal		Browse
C:\Users\user\AppData\Roaming\hbVCUlv.exe	82%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Download
12.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
3.2.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.5e10000.6.unpack	100%	Avira	TR/NanoCore.fadte	Download File
0.0.646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.500000.0.unpack	100%	Avira	HEUR/AGEN.1202153	Download File

Domains

Source	Detection	Scanner	Label	Link
brianbriano.ddns.net	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
127.0.0.1	0%	Avira URL Cloud	safe
brianbriano.ddns.net	0%	Avira URL Cloud	safe
127.0.0.1	1%	Virustotal		Browse
brianbriano.ddns.net	4%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
brianbriano.ddns.net	184.105.237.195	true	true	4%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
brianbriano.ddns.net	true	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
127.0.0.1	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
184.105.237.195	brianbriano.ddns.net	United States		395100	RVBA2016US	true

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	797493
Start date and time:	2023-02-03 00:26:06 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 7s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@36/16@11/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 95% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
TCP Packets have been reduced to 100
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:27:00	API Interceptor	845x Sleep call for process: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe modified
00:27:02	Task Scheduler	Run new task: DHCP Monitor path: "C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe" s>$(Arg0)
00:27:03	Task Scheduler	Run new task: hbVCUlv path: C:\Users\user\AppData\Roaming\hbVCUlv.exe
00:27:05	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
00:27:05	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
00:27:07	API Interceptor	2x Sleep call for process: dhcpmon.exe modified
00:27:08	API Interceptor	1x Sleep call for process: hbVCUlv.exe modified

Process:	C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	397312
Entropy (8bit):	7.9410139482036834
Encrypted:	false
SSDEEP:	6144:f3g6+/BLtz4FIRvUHGNid8tWDBtfctKnKlNSyPOYFq4vCwg8D3ICNiz4ypR42:Y6+/BLtvkGCuYqKifOYnFg8TIuizB
MD5:	E01A14ABC90ACECB1FE2ABA8D3ADB71F
SHA1:	1DBE3B0D1E76EEF6E1CD8C28E59A67B067EB6988
SHA-256:	646B292F7A79327604DDFDB0F535EE8D3832E46DC86A980986016FDBA3D64627
SHA-512:	F3A5374DEA5C38CE1DBDFDFC2607CBC6347C12A8A12D256636B4A0B4A83A4ACA03E1DE2EC4506F28DE962FD0CC2C916E7FDB86994566AC1865FBF4C60312077D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82% Antivirus: Virustotal, Detection: 74%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......]............................n#... ........@.. ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P#......H.......h...._..........XY...j...........................................0..k........r...p}.....r...p}.....r%..p}.....r7..p}.....rI..p}.....r[..p}.....rm..p}.....r...p}.....r...p}.....(.......0..t........(....&.....".".!.!....8...........#.#,...+..%..$.$,...+... ...... ......%.%,. ....+.. .........&.&,...X.+..........'.',...+..%..(.(,...+............).),....+..%....*,....+.............+.+,....+..%...,.,,....+.... ....... ......-.-,. ......+... .............,....X..+...

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.log

Download File

Process:	C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	655
Entropy (8bit):	5.273171405160065
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0Ug+9Yz9t0U2ukyrFk70U2WUXBQav:MLF20NaL329hJ5g5z2p22rW29XBT
MD5:	03EBEB80A2ECD58DB99E84A9304352A3
SHA1:	D2C4D662AC774D29740474423B81D61E47B90995
SHA-256:	C8D208E1F41C7F58BC657B74A16F5BA0F496BFE31093D70252A0870CCFB93734
SHA-512:	ECDD31A6DA669E91EAD7E9685EDFE2F128C12280CFBE38135190A0D63291C827002996BFC70A9BD57790E466C4355242B985FA3E087FEA6F6AFAB6AFA6EE7AEE
Malicious:	true
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\4de99804c29261edb63c93616550f034\System.Management.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log

Download File

Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	771
Entropy (8bit):	5.270465016990876
Encrypted:	false
SSDEEP:	24:MLF20NaL329hJ5g5z2p22rW29XBp2+g2+:MwLLG9h3gl2Y2rx9XBY+g2+
MD5:	3018D5969A55A0F1ADC29EAE9ED164BF
SHA1:	284FC77F7EF0ABDECE86BA01496D879BE71DE65C
SHA-256:	8F12BEC94AF00C112F34873CCA7FC7D85F9851B7ACFD2A20B079868C93078F89
SHA-512:	9E073D4B4F4CC713485235DB89DA06461AE051CACADFF2A4B916A7CBFC0A59CC542988D5530D9FFB28B7E9D98712EB653DB6A613EC1E47C53262AAEEA2C665FE
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\4de99804c29261edb63c93616550f034\System.Management.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\527c933194f3a99a816d83c619a3e1d3\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\hbVCUlv.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\hbVCUlv.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	655
Entropy (8bit):	5.273171405160065
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0Ug+9Yz9t0U2ukyrFk70U2WUXBQav:MLF20NaL329hJ5g5z2p22rW29XBT
MD5:	03EBEB80A2ECD58DB99E84A9304352A3
SHA1:	D2C4D662AC774D29740474423B81D61E47B90995
SHA-256:	C8D208E1F41C7F58BC657B74A16F5BA0F496BFE31093D70252A0870CCFB93734
SHA-512:	ECDD31A6DA669E91EAD7E9685EDFE2F128C12280CFBE38135190A0D63291C827002996BFC70A9BD57790E466C4355242B985FA3E087FEA6F6AFAB6AFA6EE7AEE
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\4de99804c29261edb63c93616550f034\System.Management.ni.dll",0..

C:\Users\user\AppData\Local\Temp\tmp8DA5.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\hbVCUlv.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1640
Entropy (8bit):	5.179780179213497
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGlOtn:cbhK79lNQR/rydbz9I3YODOLNdq3wo
MD5:	6022357E4EA537D40786932DE20A1358
SHA1:	19205EFC9A07988C786049A83E856E98DD4159B2
SHA-256:	B9769BCD55F8D8B8E1D476E2DC7DE95B0A60A049C011459AEEB6E20DCA577487
SHA-512:	9E962CDF6CFDB26F50C30746D376CCDA8969A0E3959B2164189EC979275587DE66BBF4AF0B7086FF4C957223E10250740C9C73D56299313546C6DD688F7CEB53
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\tmp9381.tmp

Download File

Process:	C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1640
Entropy (8bit):	5.179780179213497
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGlOtn:cbhK79lNQR/rydbz9I3YODOLNdq3wo
MD5:	6022357E4EA537D40786932DE20A1358
SHA1:	19205EFC9A07988C786049A83E856E98DD4159B2
SHA-256:	B9769BCD55F8D8B8E1D476E2DC7DE95B0A60A049C011459AEEB6E20DCA577487
SHA-512:	9E962CDF6CFDB26F50C30746D376CCDA8969A0E3959B2164189EC979275587DE66BBF4AF0B7086FF4C957223E10250740C9C73D56299313546C6DD688F7CEB53
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\tmpA582.tmp

Download File

Process:	C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1640
Entropy (8bit):	5.179780179213497
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGlOtn:cbhK79lNQR/rydbz9I3YODOLNdq3wo
MD5:	6022357E4EA537D40786932DE20A1358
SHA1:	19205EFC9A07988C786049A83E856E98DD4159B2
SHA-256:	B9769BCD55F8D8B8E1D476E2DC7DE95B0A60A049C011459AEEB6E20DCA577487
SHA-512:	9E962CDF6CFDB26F50C30746D376CCDA8969A0E3959B2164189EC979275587DE66BBF4AF0B7086FF4C957223E10250740C9C73D56299313546C6DD688F7CEB53
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\tmpA776.tmp

Download File

Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1640
Entropy (8bit):	5.179780179213497
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGlOtn:cbhK79lNQR/rydbz9I3YODOLNdq3wo
MD5:	6022357E4EA537D40786932DE20A1358
SHA1:	19205EFC9A07988C786049A83E856E98DD4159B2
SHA-256:	B9769BCD55F8D8B8E1D476E2DC7DE95B0A60A049C011459AEEB6E20DCA577487
SHA-512:	9E962CDF6CFDB26F50C30746D376CCDA8969A0E3959B2164189EC979275587DE66BBF4AF0B7086FF4C957223E10250740C9C73D56299313546C6DD688F7CEB53
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\tmpBC6A.tmp

Download File

Process:	C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1335
Entropy (8bit):	5.21334491153168
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0YJvxtn:cbk4oL600QydbQxIYODOLedq3dj
MD5:	5EFC0529B9E30CA47CD07FE32A116CE5
SHA1:	04BAE26926213546EFA3101E607830956E250965
SHA-256:	2ACF199A1C4E458BEDF6637C9AF392F46FE3E4A2C6B49DBA7225C423B66565F1
SHA-512:	221F4EE95FDC69793D6B215E2F26F18DB5798AFC07F21BFF5D5B5EA012D7D6BC9817E168385CA47FE325C1F05C8A586DA88A02A4780B3A3C2A0D3709349BFB5C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmpBDD3.tmp

Download File

Process:	C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmpCABE.tmp

Download File

Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1640
Entropy (8bit):	5.179780179213497
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGlOtn:cbhK79lNQR/rydbz9I3YODOLNdq3wo
MD5:	6022357E4EA537D40786932DE20A1358
SHA1:	19205EFC9A07988C786049A83E856E98DD4159B2
SHA-256:	B9769BCD55F8D8B8E1D476E2DC7DE95B0A60A049C011459AEEB6E20DCA577487
SHA-512:	9E962CDF6CFDB26F50C30746D376CCDA8969A0E3959B2164189EC979275587DE66BBF4AF0B7086FF4C957223E10250740C9C73D56299313546C6DD688F7CEB53
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Download File

Process:	C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:b:b
MD5:	53BCE1FE311D8C9EF524EAC0EA6B9223
SHA1:	74A39B5401D2AE234872ED096F95037DF103DD6D
SHA-256:	6C748A4D30923BADBF05144B5696150E66B08D5AE4BECAF530767DD6CC323C57
SHA-512:	77BC6062E9B4E1594A55785B1FFD50313196BE81E547F01949EA02869944697448294925FB6CD8931353798DC7BE14A7BB67A42C1D0180BD1B1E716EE0BBE9E9
Malicious:	true
Preview:	iN..t..H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat

Download File

Process:	C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.62466971024535
Encrypted:	false
SSDEEP:	3:oNt+WfWTRTnbbQ7hhlVjQVJBkA:oNwvR3Q70Vl
MD5:	569EF1FFEF994FEA2DF27631236433B6
SHA1:	19550BC4046FB45E2A1894679B2C6DEA62C3BB58
SHA-256:	897465B24325FFF96F887BA14800AB111803B42FC267258D38145E9AC61B9B20
SHA-512:	7795B2B84233F9FACDA20365E4D7E9B0D0EED5EEA1522E6F977EFA52DE9551557D0AC2EA66E7AC12476B9D88084DEBC35DD2075CBC20392E76B85605D89FB2D0
Malicious:	false
Preview:	C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe

C:\Users\user\AppData\Roaming\hbVCUlv.exe

Download File

Process:	C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	397312
Entropy (8bit):	7.9410139482036834
Encrypted:	false
SSDEEP:	6144:f3g6+/BLtz4FIRvUHGNid8tWDBtfctKnKlNSyPOYFq4vCwg8D3ICNiz4ypR42:Y6+/BLtvkGCuYqKifOYnFg8TIuizB
MD5:	E01A14ABC90ACECB1FE2ABA8D3ADB71F
SHA1:	1DBE3B0D1E76EEF6E1CD8C28E59A67B067EB6988
SHA-256:	646B292F7A79327604DDFDB0F535EE8D3832E46DC86A980986016FDBA3D64627
SHA-512:	F3A5374DEA5C38CE1DBDFDFC2607CBC6347C12A8A12D256636B4A0B4A83A4ACA03E1DE2EC4506F28DE962FD0CC2C916E7FDB86994566AC1865FBF4C60312077D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......]............................n#... ........@.. ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P#......H.......h...._..........XY...j...........................................0..k........r...p}.....r...p}.....r%..p}.....r7..p}.....rI..p}.....r[..p}.....rm..p}.....r...p}.....r...p}.....(.......0..t........(....&.....".".!.!....8...........#.#,...+..%..$.$,...+... ...... ......%.%,. ....+.. .........&.&,...X.+..........'.',...+..%..(.(,...+............).),....+..%....*,....+.............+.+,....+..%...,.,,....+.... ....... ......-.-,. ......+... .............,....X..+...

C:\Users\user\AppData\Roaming\hbVCUlv.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.9410139482036834
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
File size:	397312
MD5:	e01a14abc90acecb1fe2aba8d3adb71f
SHA1:	1dbe3b0d1e76eef6e1cd8c28e59a67b067eb6988
SHA256:	646b292f7a79327604ddfdb0f535ee8d3832e46dc86a980986016fdba3d64627
SHA512:	f3a5374dea5c38ce1dbdfdfc2607cbc6347c12a8a12d256636b4a0b4a83a4aca03e1de2ec4506f28de962fd0cc2c916e7fdb86994566ac1865fbf4c60312077d
SSDEEP:	6144:f3g6+/BLtz4FIRvUHGNid8tWDBtfctKnKlNSyPOYFq4vCwg8D3ICNiz4ypR42:Y6+/BLtvkGCuYqKifOYnFg8TIuizB
TLSH:	1F8412017718E795D38CA7F8AA74626C4371B6A81932F32F4C6B30E7D563BE2472185B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......]............................n#... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x46236e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5DC20BC4 [Tue Nov 5 23:54:44 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x62314	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0x800	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x66000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x60374	0x60400	False	0.9524173092532467	data	7.954638266049198	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x64000	0x800	0x800	False	0.32958984375	data	3.450513412054433	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x66000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x64090	0x37c	data
RT_MANIFEST	0x6441c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.4184.105.237.19549710100012025019 02/03/23-00:28:31.654776	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49710	10001	192.168.2.4	184.105.237.195
192.168.2.4184.105.237.19549710100012816766 02/03/23-00:28:33.834752	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49710	10001	192.168.2.4	184.105.237.195
192.168.2.4184.105.237.19549696100012025019 02/03/23-00:27:05.348657	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49696	10001	192.168.2.4	184.105.237.195
192.168.2.4184.105.237.19549714100012025019 02/03/23-00:28:55.473039	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49714	10001	192.168.2.4	184.105.237.195
192.168.2.4184.105.237.19549703100012025019 02/03/23-00:27:48.578100	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49703	10001	192.168.2.4	184.105.237.195
192.168.2.4184.105.237.19549697100012025019 02/03/23-00:27:11.697985	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49697	10001	192.168.2.4	184.105.237.195
192.168.2.4184.105.237.19549698100012025019 02/03/23-00:27:19.121500	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49698	10001	192.168.2.4	184.105.237.195
192.168.2.4184.105.237.19549709100012025019 02/03/23-00:28:24.651689	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49709	10001	192.168.2.4	184.105.237.195
192.168.2.4184.105.237.19549702100012025019 02/03/23-00:27:42.402353	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49702	10001	192.168.2.4	184.105.237.195
192.168.2.4184.105.237.19549698100012816766 02/03/23-00:27:21.094469	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49698	10001	192.168.2.4	184.105.237.195
192.168.2.4184.105.237.19549715100012816766 02/03/23-00:29:05.373729	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49715	10001	192.168.2.4	184.105.237.195
192.168.2.4184.105.237.19549697100012816766 02/03/23-00:27:13.460347	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49697	10001	192.168.2.4	184.105.237.195
192.168.2.4184.105.237.19549708100012025019 02/03/23-00:28:17.926799	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49708	10001	192.168.2.4	184.105.237.195
192.168.2.4184.105.237.19549696100012816766 02/03/23-00:27:07.112967	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49696	10001	192.168.2.4	184.105.237.195
192.168.2.4184.105.237.19549703100012816766 02/03/23-00:27:50.380926	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49703	10001	192.168.2.4	184.105.237.195
192.168.2.4184.105.237.19549714100012816766 02/03/23-00:28:58.124908	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49714	10001	192.168.2.4	184.105.237.195
192.168.2.4184.105.237.19549704100012816766 02/03/23-00:27:57.519906	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49704	10001	192.168.2.4	184.105.237.195
192.168.2.4184.105.237.19549708100012816766 02/03/23-00:28:19.942981	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49708	10001	192.168.2.4	184.105.237.195
192.168.2.4184.105.237.19549709100012816766 02/03/23-00:28:26.847077	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49709	10001	192.168.2.4	184.105.237.195
192.168.2.4184.105.237.19549697100012816718 02/03/23-00:27:12.093478	TCP	2816718	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon	49697	10001	192.168.2.4	184.105.237.195
192.168.2.4184.105.237.19549704100012025019 02/03/23-00:27:55.553197	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49704	10001	192.168.2.4	184.105.237.195
192.168.2.4184.105.237.19549715100012025019 02/03/23-00:29:04.002318	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49715	10001	192.168.2.4	184.105.237.195
192.168.2.4184.105.237.19549702100012816766 02/03/23-00:27:44.172937	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49702	10001	192.168.2.4	184.105.237.195
192.168.2.4184.105.237.19549708100012816718 02/03/23-00:28:19.942981	TCP	2816718	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon	49708	10001	192.168.2.4	184.105.237.195

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 3, 2023 00:27:05.013998985 CET	49696	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:05.208734035 CET	10001	49696	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:05.208848000 CET	49696	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:05.348656893 CET	49696	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:05.544926882 CET	10001	49696	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:05.545007944 CET	49696	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:05.741916895 CET	10001	49696	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:05.742041111 CET	49696	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:05.937634945 CET	10001	49696	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:05.938749075 CET	49696	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:06.132921934 CET	10001	49696	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:06.133028030 CET	49696	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:06.326924086 CET	10001	49696	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:06.327065945 CET	49696	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:06.522933006 CET	10001	49696	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:06.523025990 CET	49696	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:06.719455957 CET	10001	49696	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:06.719588995 CET	49696	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:06.916315079 CET	10001	49696	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:06.916836023 CET	49696	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:07.112868071 CET	10001	49696	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:07.112967014 CET	49696	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:07.275751114 CET	49696	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:07.307995081 CET	10001	49696	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:07.308048010 CET	49696	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:11.500554085 CET	49697	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:11.697468996 CET	10001	49697	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:11.697550058 CET	49697	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:11.697984934 CET	49697	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:11.894057035 CET	10001	49697	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:11.895531893 CET	49697	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:12.093377113 CET	10001	49697	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:12.093477964 CET	49697	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:12.288959026 CET	10001	49697	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:12.289061069 CET	49697	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:12.483809948 CET	10001	49697	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:12.484217882 CET	49697	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:12.678292990 CET	10001	49697	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:12.678432941 CET	49697	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:12.872711897 CET	10001	49697	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:12.875804901 CET	49697	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:13.070967913 CET	10001	49697	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:13.071103096 CET	49697	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:13.265883923 CET	10001	49697	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:13.265960932 CET	49697	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:13.460284948 CET	10001	49697	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:13.460346937 CET	49697	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:13.603579044 CET	49697	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:13.654912949 CET	10001	49697	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:13.655096054 CET	49697	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:18.835866928 CET	49698	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:19.029932022 CET	10001	49698	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:19.033951998 CET	49698	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:19.121500015 CET	49698	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:19.315598965 CET	10001	49698	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:19.317471027 CET	49698	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:19.511491060 CET	10001	49698	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:19.529211998 CET	49698	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:19.723428965 CET	10001	49698	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:19.725918055 CET	49698	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:19.919888973 CET	10001	49698	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:19.921041012 CET	49698	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:20.116961002 CET	10001	49698	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:20.117067099 CET	49698	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:20.311744928 CET	10001	49698	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:20.312031031 CET	49698	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:20.508069992 CET	10001	49698	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:20.508608103 CET	49698	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:20.702568054 CET	10001	49698	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:20.706109047 CET	49698	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:20.900022030 CET	10001	49698	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:20.900327921 CET	49698	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:21.094309092 CET	10001	49698	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:21.094469070 CET	49698	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:21.107709885 CET	49698	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:21.288347006 CET	10001	49698	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:21.288449049 CET	49698	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:42.206159115 CET	49702	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:42.401283979 CET	10001	49702	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:42.401417971 CET	49702	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:42.402353048 CET	49702	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:42.597618103 CET	10001	49702	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:42.597693920 CET	49702	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:42.793983936 CET	10001	49702	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:42.794060946 CET	49702	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:42.989381075 CET	10001	49702	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:42.989494085 CET	49702	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:43.186486959 CET	10001	49702	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:43.187222958 CET	49702	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:43.382625103 CET	10001	49702	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:43.383800983 CET	49702	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:43.581367970 CET	10001	49702	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:43.582508087 CET	49702	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:43.777828932 CET	10001	49702	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:43.778004885 CET	49702	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:43.973201036 CET	10001	49702	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:43.976073980 CET	49702	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:44.172787905 CET	10001	49702	184.105.237.195	192.168.2.4
Feb 3, 2023 00:27:44.172936916 CET	49702	10001	192.168.2.4	184.105.237.195
Feb 3, 2023 00:27:44.264945030 CET	49702	10001	192.168.2.4	184.105.237.195

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 3, 2023 00:27:04.961555958 CET	50911	53	192.168.2.4	8.8.8.8
Feb 3, 2023 00:27:04.984492064 CET	53	50911	8.8.8.8	192.168.2.4
Feb 3, 2023 00:27:11.474503994 CET	59683	53	192.168.2.4	8.8.8.8
Feb 3, 2023 00:27:11.495126963 CET	53	59683	8.8.8.8	192.168.2.4
Feb 3, 2023 00:27:18.814075947 CET	64167	53	192.168.2.4	8.8.8.8
Feb 3, 2023 00:27:18.833225965 CET	53	64167	8.8.8.8	192.168.2.4
Feb 3, 2023 00:27:42.185161114 CET	58565	53	192.168.2.4	8.8.8.8
Feb 3, 2023 00:27:42.204382896 CET	53	58565	8.8.8.8	192.168.2.4
Feb 3, 2023 00:27:48.357934952 CET	52239	53	192.168.2.4	8.8.8.8
Feb 3, 2023 00:27:48.379580975 CET	53	52239	8.8.8.8	192.168.2.4
Feb 3, 2023 00:27:55.328177929 CET	56807	53	192.168.2.4	8.8.8.8
Feb 3, 2023 00:27:55.347703934 CET	53	56807	8.8.8.8	192.168.2.4
Feb 3, 2023 00:28:17.707776070 CET	61007	53	192.168.2.4	8.8.8.8
Feb 3, 2023 00:28:17.729979992 CET	53	61007	8.8.8.8	192.168.2.4
Feb 3, 2023 00:28:24.433948994 CET	60686	53	192.168.2.4	8.8.8.8
Feb 3, 2023 00:28:24.454770088 CET	53	60686	8.8.8.8	192.168.2.4
Feb 3, 2023 00:28:31.434386969 CET	61124	53	192.168.2.4	8.8.8.8
Feb 3, 2023 00:28:31.456299067 CET	53	61124	8.8.8.8	192.168.2.4
Feb 3, 2023 00:28:55.255594969 CET	59444	53	192.168.2.4	8.8.8.8
Feb 3, 2023 00:28:55.274615049 CET	53	59444	8.8.8.8	192.168.2.4
Feb 3, 2023 00:29:03.759879112 CET	55570	53	192.168.2.4	8.8.8.8
Feb 3, 2023 00:29:03.778939962 CET	53	55570	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 3, 2023 00:27:04.961555958 CET	192.168.2.4	8.8.8.8	0x88a5	Standard query (0)	brianbriano.ddns.net	A (IP address)	IN (0x0001)	false
Feb 3, 2023 00:27:11.474503994 CET	192.168.2.4	8.8.8.8	0x6c59	Standard query (0)	brianbriano.ddns.net	A (IP address)	IN (0x0001)	false
Feb 3, 2023 00:27:18.814075947 CET	192.168.2.4	8.8.8.8	0x18c9	Standard query (0)	brianbriano.ddns.net	A (IP address)	IN (0x0001)	false
Feb 3, 2023 00:27:42.185161114 CET	192.168.2.4	8.8.8.8	0xcd7e	Standard query (0)	brianbriano.ddns.net	A (IP address)	IN (0x0001)	false
Feb 3, 2023 00:27:48.357934952 CET	192.168.2.4	8.8.8.8	0x388d	Standard query (0)	brianbriano.ddns.net	A (IP address)	IN (0x0001)	false
Feb 3, 2023 00:27:55.328177929 CET	192.168.2.4	8.8.8.8	0xe574	Standard query (0)	brianbriano.ddns.net	A (IP address)	IN (0x0001)	false
Feb 3, 2023 00:28:17.707776070 CET	192.168.2.4	8.8.8.8	0x7f0b	Standard query (0)	brianbriano.ddns.net	A (IP address)	IN (0x0001)	false
Feb 3, 2023 00:28:24.433948994 CET	192.168.2.4	8.8.8.8	0x426e	Standard query (0)	brianbriano.ddns.net	A (IP address)	IN (0x0001)	false
Feb 3, 2023 00:28:31.434386969 CET	192.168.2.4	8.8.8.8	0x95d5	Standard query (0)	brianbriano.ddns.net	A (IP address)	IN (0x0001)	false
Feb 3, 2023 00:28:55.255594969 CET	192.168.2.4	8.8.8.8	0xfc9f	Standard query (0)	brianbriano.ddns.net	A (IP address)	IN (0x0001)	false
Feb 3, 2023 00:29:03.759879112 CET	192.168.2.4	8.8.8.8	0x7edd	Standard query (0)	brianbriano.ddns.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Feb 3, 2023 00:27:04.984492064 CET	8.8.8.8	192.168.2.4	0x88a5	No error (0)	brianbriano.ddns.net	184.105.237.195	A (IP address)	IN (0x0001)	false
Feb 3, 2023 00:27:11.495126963 CET	8.8.8.8	192.168.2.4	0x6c59	No error (0)	brianbriano.ddns.net	184.105.237.195	A (IP address)	IN (0x0001)	false
Feb 3, 2023 00:27:18.833225965 CET	8.8.8.8	192.168.2.4	0x18c9	No error (0)	brianbriano.ddns.net	184.105.237.195	A (IP address)	IN (0x0001)	false
Feb 3, 2023 00:27:42.204382896 CET	8.8.8.8	192.168.2.4	0xcd7e	No error (0)	brianbriano.ddns.net	184.105.237.195	A (IP address)	IN (0x0001)	false
Feb 3, 2023 00:27:48.379580975 CET	8.8.8.8	192.168.2.4	0x388d	No error (0)	brianbriano.ddns.net	184.105.237.195	A (IP address)	IN (0x0001)	false
Feb 3, 2023 00:27:55.347703934 CET	8.8.8.8	192.168.2.4	0xe574	No error (0)	brianbriano.ddns.net	184.105.237.195	A (IP address)	IN (0x0001)	false
Feb 3, 2023 00:28:17.729979992 CET	8.8.8.8	192.168.2.4	0x7f0b	No error (0)	brianbriano.ddns.net	184.105.237.195	A (IP address)	IN (0x0001)	false
Feb 3, 2023 00:28:24.454770088 CET	8.8.8.8	192.168.2.4	0x426e	No error (0)	brianbriano.ddns.net	184.105.237.195	A (IP address)	IN (0x0001)	false
Feb 3, 2023 00:28:31.456299067 CET	8.8.8.8	192.168.2.4	0x95d5	No error (0)	brianbriano.ddns.net	184.105.237.195	A (IP address)	IN (0x0001)	false
Feb 3, 2023 00:28:55.274615049 CET	8.8.8.8	192.168.2.4	0xfc9f	No error (0)	brianbriano.ddns.net	184.105.237.195	A (IP address)	IN (0x0001)	false
Feb 3, 2023 00:29:03.778939962 CET	8.8.8.8	192.168.2.4	0x7edd	No error (0)	brianbriano.ddns.net	184.105.237.195	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	00:26:58
Start date:	03/02/2023
Path:	C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Imagebase:	0x500000
File size:	397312 bytes
MD5 hash:	E01A14ABC90ACECB1FE2ABA8D3ADB71F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CassandraCrypter, Description: Yara detected Cassandra Crypter, Source: 00000000.00000002.307508938.0000000002B6A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: SUSP_NET_NAME_ConfuserEx, Description: Detects ConfuserEx packed file, Source: 00000000.00000002.314033178.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, Author: Arnim Rupp Rule: INDICATOR_EXE_Packed_Cassandra, Description: Detects executables packed with Cassandra/CyaX, Source: 00000000.00000002.314033178.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.311567488.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.311567488.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.311567488.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.311567488.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CassandraCrypter, Description: Yara detected Cassandra Crypter, Source: 00000000.00000002.314578400.0000000005E90000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_EXE_Packed_Cassandra, Description: Detects executables packed with Cassandra/CyaX, Source: 00000000.00000002.314578400.0000000005E90000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	low

Analysis Process: schtasks.exePID: 1308, Parent PID: 1228

General

Target ID:	1
Start time:	00:27:00
Start date:	03/02/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbVCUlv" /XML "C:\Users\user\AppData\Local\Temp\tmp9381.tmp
Imagebase:	0xcc0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 1236, Parent PID: 1308

General

Target ID:	2
Start time:	00:27:00
Start date:	03/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exePID: 5724, Parent PID: 1228

General

Target ID:	3
Start time:	00:27:01
Start date:	03/02/2023
Path:	C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Imagebase:	0x9c0000
File size:	397312 bytes
MD5 hash:	E01A14ABC90ACECB1FE2ABA8D3ADB71F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.578951789.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.578951789.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.578951789.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.578951789.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.573594094.0000000003201000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.579080815.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.579080815.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.579080815.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.579080815.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.579080815.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: schtasks.exePID: 5060, Parent PID: 5724

General

Target ID:	4
Start time:	00:27:02
Start date:	03/02/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpBC6A.tmp
Imagebase:	0xcc0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 2024, Parent PID: 5060

General

Target ID:	5
Start time:	00:27:02
Start date:	03/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: schtasks.exePID: 5128, Parent PID: 5724

General

Target ID:	6
Start time:	00:27:02
Start date:	03/02/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpBDD3.tmp
Imagebase:	0xcc0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 1504, Parent PID: 5128

General

Target ID:	7
Start time:	00:27:02
Start date:	03/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exePID: 1900, Parent PID: 1088

General

Target ID:	8
Start time:	00:27:02
Start date:	03/02/2023
Path:	C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe 0
Imagebase:	0x820000
File size:	397312 bytes
MD5 hash:	E01A14ABC90ACECB1FE2ABA8D3ADB71F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CassandraCrypter, Description: Yara detected Cassandra Crypter, Source: 00000008.00000002.318734843.0000000002ECA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: hbVCUlv.exePID: 6028, Parent PID: 1088

General

Target ID:	9
Start time:	00:27:03
Start date:	03/02/2023
Path:	C:\Users\user\AppData\Roaming\hbVCUlv.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\hbVCUlv.exe
Imagebase:	0xf30000
File size:	397312 bytes
MD5 hash:	E01A14ABC90ACECB1FE2ABA8D3ADB71F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CassandraCrypter, Description: Yara detected Cassandra Crypter, Source: 00000009.00000002.331266992.000000000371A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 82%, ReversingLabs

Analysis Process: schtasks.exePID: 5004, Parent PID: 1900

General

Target ID:	10
Start time:	00:27:04
Start date:	03/02/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbVCUlv" /XML "C:\Users\user\AppData\Local\Temp\tmpA582.tmp
Imagebase:	0xcc0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 640, Parent PID: 5004

General

Target ID:	11
Start time:	00:27:04
Start date:	03/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exePID: 5244, Parent PID: 1900

General

Target ID:	12
Start time:	00:27:05
Start date:	03/02/2023
Path:	C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Imagebase:	0xf70000
File size:	397312 bytes
MD5 hash:	E01A14ABC90ACECB1FE2ABA8D3ADB71F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.342518655.0000000003621000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.342518655.0000000003621000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000C.00000002.342518655.0000000003621000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.342969185.0000000004621000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.342969185.0000000004621000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000C.00000002.342969185.0000000004621000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.332550764.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.332550764.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.332550764.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000C.00000002.332550764.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown

Analysis Process: dhcpmon.exePID: 4788, Parent PID: 1088

General

Target ID:	13
Start time:	00:27:05
Start date:	03/02/2023
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Imagebase:	0xb10000
File size:	397312 bytes
MD5 hash:	E01A14ABC90ACECB1FE2ABA8D3ADB71F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CassandraCrypter, Description: Yara detected Cassandra Crypter, Source: 0000000D.00000002.324082470.000000000315A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 82%, ReversingLabs Detection: 74%, Virustotal, Browse

Analysis Process: schtasks.exePID: 6044, Parent PID: 4788

General

Target ID:	14
Start time:	00:27:07
Start date:	03/02/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbVCUlv" /XML "C:\Users\user\AppData\Local\Temp\tmpA776.tmp
Imagebase:	0xcc0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 6076, Parent PID: 6044

General

Target ID:	15
Start time:	00:27:07
Start date:	03/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: dhcpmon.exePID: 6088, Parent PID: 4788

General

Target ID:	16
Start time:	00:27:08
Start date:	03/02/2023
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:	0x110000
File size:	397312 bytes
MD5 hash:	E01A14ABC90ACECB1FE2ABA8D3ADB71F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.343692976.0000000002801000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000002.343692976.0000000002801000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000010.00000002.343692976.0000000002801000.00000004.00000800.00020000.00000000.sdmp, Author: unknown

Analysis Process: schtasks.exePID: 5172, Parent PID: 6028

General

Target ID:	17
Start time:	00:27:10
Start date:	03/02/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbVCUlv" /XML "C:\Users\user\AppData\Local\Temp\tmp8DA5.tmp
Imagebase:	0xcc0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 5232, Parent PID: 5172

General

Target ID:	18
Start time:	00:27:10
Start date:	03/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: hbVCUlv.exePID: 1228, Parent PID: 6028

General

Target ID:	19
Start time:	00:27:11
Start date:	03/02/2023
Path:	C:\Users\user\AppData\Roaming\hbVCUlv.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\hbVCUlv.exe
Imagebase:	0xa20000
File size:	397312 bytes
MD5 hash:	E01A14ABC90ACECB1FE2ABA8D3ADB71F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.355128673.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000013.00000002.355128673.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000013.00000002.355128673.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Author: unknown

Analysis Process: dhcpmon.exePID: 4600, Parent PID: 3528

General

Target ID:	20
Start time:	00:27:13
Start date:	03/02/2023
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Imagebase:	0x200000
File size:	397312 bytes
MD5 hash:	E01A14ABC90ACECB1FE2ABA8D3ADB71F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Analysis Process: schtasks.exePID: 4492, Parent PID: 4600

General

Target ID:	21
Start time:	00:27:19
Start date:	03/02/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbVCUlv" /XML "C:\Users\user\AppData\Local\Temp\tmpCABE.tmp
Imagebase:	0xcc0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 476, Parent PID: 4492

General

Target ID:	22
Start time:	00:27:19
Start date:	03/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: dhcpmon.exePID: 5072, Parent PID: 4600

General

Target ID:	23
Start time:	00:27:19
Start date:	03/02/2023
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:	0x770000
File size:	397312 bytes
MD5 hash:	E01A14ABC90ACECB1FE2ABA8D3ADB71F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Disassembly

⊘No disassembly

Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000000.00000002.307508938.0000000002B6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCyaX.dll0 vs 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000000.00000002.307508938.0000000002DDC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNvidiaCatalysts.dll@ vs 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000000.00000002.314033178.00000000051D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCyaX-Sharp.exe6 vs 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000000.00000002.314578400.0000000005E90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCyaX.dll0 vs 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000000.00000000.302015561.0000000000564000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBuilderLibrary.exe> vs 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000000.00000002.313010978.0000000004D40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNvidiaCatalysts.dll@ vs 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000003.00000002.579021289.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000003.00000002.571610675.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBuil vs 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000003.00000002.578951789.0000000005B70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000003.00000002.573594094.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000003.00000002.576893393.0000000004267000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000003.00000002.579080815.0000000005E10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000003.00000002.579080815.0000000005E10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000003.00000002.576893393.0000000004280000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000008.00000002.318734843.0000000002ECA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCyaX.dll0 vs 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000008.00000002.320823236.00000000040A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCyaX-Sharp.exe6 vs 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 00000008.00000002.317270185.000000000100A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 0000000C.00000002.341271791.000000000176A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 0000000C.00000002.342518655.0000000003621000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 0000000C.00000002.342518655.0000000003621000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 0000000C.00000002.342969185.0000000004621000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 0000000C.00000002.342969185.0000000004621000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe, 0000000C.00000002.342969185.0000000004621000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe
Source: 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe	Binary or memory string: OriginalFilenameBuilderLibrary.exe> vs 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\hbVCUlv.exe.log

C:\Users\user\AppData\Local\Temp\tmp8DA5.tmp

C:\Users\user\AppData\Local\Temp\tmp9381.tmp

C:\Users\user\AppData\Local\Temp\tmpA582.tmp

C:\Users\user\AppData\Local\Temp\tmpA776.tmp

Windows Analysis Report
646B292F7A79327604DDFDB0F535EE8D3832E46DC86A9.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre