Edit tour

Windows Analysis Report
lb64Iy4W4e.exe

Overview

General Information

Sample Name:	lb64Iy4W4e.exe
Analysis ID:	799403
MD5:	4c7df43e37814754ad1c8a97ab971af8
SHA1:	c2315cba4dc175554869cf1c7d7b4ddfdb65adea
SHA256:	49cc6f25d16cf7c85d218bcd4ecbdedce0f5d4540bc5099436511291f48a3976
Tags:	exeNanoCoreRAT
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Detected Nanocore Rat

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Snort IDS alert for network traffic

Maps a DLL or memory area into another process

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses dynamic DNS services

Uses 32bit PE files

Yara signature match

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops PE files

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Found large amount of non-executed APIs

Contains functionality to delete services

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

lb64Iy4W4e.exe (PID: 4332 cmdline: C:\Users\user\Desktop\lb64Iy4W4e.exe MD5: 4C7DF43E37814754AD1C8A97AB971AF8)

tohjyweui.exe (PID: 5884 cmdline: "C:\Users\user\AppData\Local\Temp\tohjyweui.exe" C:\Users\user\AppData\Local\Temp\fwbfw.c MD5: 64517EEC55E1F3C392B63B73D833E5F9)

tohjyweui.exe (PID: 4560 cmdline: C:\Users\user\AppData\Local\Temp\tohjyweui.exe MD5: 64517EEC55E1F3C392B63B73D833E5F9)

tpyienirbwgp.exe (PID: 5716 cmdline: "C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe" "C:\Users\user\AppData\Local\Temp\tohjyweui.exe" C:\Users\user\A MD5: 64517EEC55E1F3C392B63B73D833E5F9)

WerFault.exe (PID: 5420 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 632 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

tpyienirbwgp.exe (PID: 5408 cmdline: "C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe" "C:\Users\user\AppData\Local\Temp\tohjyweui.exe" C:\Users\user\A MD5: 64517EEC55E1F3C392B63B73D833E5F9)

WerFault.exe (PID: 4032 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5408 -s 604 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "d046c01c-51f5-4c8c-b5b9-b566d533", "Group": "", "Domain1": "alertt.duckdns.org", "Domain2": "alertt.duckdns.org", "Port": 6445, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x237e5:$x1: NanoCore.ClientPluginHost 0x23822:$x2: IClientNetworkHost 0x27355:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x2355d:$x1: NanoCore Client.exe 0x237e5:$x2: NanoCore.ClientPluginHost 0x24e1e:$s1: PluginCommand 0x24e12:$s2: FileCommand 0x25cc3:$s3: PipeExists 0x2ba7a:$s4: PipeCreated 0x2380f:$s5: IClientLoggingHost
00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2354d:$x1: NanoCore Client 0x2355d:$x1: NanoCore Client 0x237a5:$x2: NanoCore.ClientPlugin 0x237e5:$x3: NanoCore.ClientPluginHost 0x2379a:$i1: IClientApp 0x237bb:$i2: IClientData 0x237c7:$i3: IClientNetwork 0x237d6:$i4: IClientAppHost 0x237ff:$i5: IClientDataHost 0x2380f:$i6: IClientLoggingHost 0x23822:$i7: IClientNetworkHost 0x23835:$i8: IClientUIHost 0x23843:$i9: IClientNameObjectCollection 0x2385f:$i10: IClientReadOnlyNameObjectCollection 0x235ac:$s1: ClientPlugin 0x237ae:$s1: ClientPlugin 0x23ca2:$s2: EndPoint 0x23cab:$s3: IPAddress 0x23cb5:$s4: IPEndPoint 0x256eb:$s6: get_ClientSettings 0x25c8f:$s7: get_Connected
00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2354d:$a: NanoCore 0x2355d:$a: NanoCore 0x23791:$a: NanoCore 0x237a5:$a: NanoCore 0x237e5:$a: NanoCore 0x235ac:$b: ClientPlugin 0x237ae:$b: ClientPlugin 0x237ee:$b: ClientPlugin 0x236d3:$c: ProjectData 0x240da:$d: DESCrypto 0x2baa6:$e: KeepAlive 0x29a94:$g: LogClientMessage 0x25c8f:$i: get_Connected 0x24410:$j: #=q 0x24440:$j: #=q 0x2445c:$j: #=q 0x2448c:$j: #=q 0x244a8:$j: #=q 0x244c4:$j: #=q 0x244f4:$j: #=q 0x24510:$j: #=q
00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x237e5:$a1: NanoCore.ClientPluginHost 0x237a5:$a2: NanoCore.ClientPlugin 0x256fe:$b1: get_BuilderSettings 0x23601:$b2: ClientLoaderForm.resources 0x24e1e:$b3: PluginCommand 0x237d6:$b4: IClientAppHost 0x2dc56:$b5: GetBlockHash 0x25d56:$b6: AddHostEntry 0x29a49:$b7: LogClientException 0x25cc3:$b8: PipeExists 0x2380f:$b9: IClientLoggingHost
Process Memory Space: tohjyweui.exe PID: 5884	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x7009e:$x1: NanoCore.ClientPluginHost 0x700db:$x2: IClientNetworkHost 0x73bcc:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7ec0b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: tohjyweui.exe PID: 5884	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: tohjyweui.exe PID: 5884	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6fd6b:$a: NanoCore 0x6fd7b:$a: NanoCore 0x6fe3a:$a: NanoCore 0x6fe49:$a: NanoCore 0x7004a:$a: NanoCore 0x7005e:$a: NanoCore 0x7009e:$a: NanoCore 0x7b275:$a: NanoCore 0x7b287:$a: NanoCore 0x7b2c3:$a: NanoCore 0x6fdca:$b: ClientPlugin 0x6fe93:$b: ClientPlugin 0x70067:$b: ClientPlugin 0x700a7:$b: ClientPlugin 0x7b290:$b: ClientPlugin 0x7b2cc:$b: ClientPlugin 0x6ff8c:$c: ProjectData 0x7b1c2:$c: ProjectData 0x70960:$d: DESCrypto 0x7bb20:$d: DESCrypto 0x7831d:$e: KeepAlive
Process Memory Space: tohjyweui.exe PID: 5884	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x7009e:$a1: NanoCore.ClientPluginHost 0x7005e:$a2: NanoCore.ClientPlugin 0x71f75:$b1: get_BuilderSettings 0x6fe1f:$b2: ClientLoaderForm.resources 0x71695:$b3: PluginCommand 0x7008f:$b4: IClientAppHost 0x7a4c8:$b5: GetBlockHash 0x725cd:$b6: AddHostEntry 0x7d6a5:$b6: AddHostEntry 0x762c0:$b7: LogClientException 0x811e6:$b7: LogClientException 0x7253a:$b8: PipeExists 0x7d619:$b8: PipeExists 0x700c8:$b9: IClientLoggingHost
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.tohjyweui.exe.643658.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.tohjyweui.exe.643658.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.2.tohjyweui.exe.643658.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.tohjyweui.exe.643658.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
1.2.tohjyweui.exe.643658.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.2.tohjyweui.exe.643658.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
1.2.tohjyweui.exe.630000.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x237e5:$x1: NanoCore.ClientPluginHost 0x23822:$x2: IClientNetworkHost 0x27355:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.tohjyweui.exe.630000.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x2355d:$x1: NanoCore Client.exe 0x237e5:$x2: NanoCore.ClientPluginHost 0x24e1e:$s1: PluginCommand 0x24e12:$s2: FileCommand 0x25cc3:$s3: PipeExists 0x2ba7a:$s4: PipeCreated 0x2380f:$s5: IClientLoggingHost
1.2.tohjyweui.exe.630000.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.tohjyweui.exe.630000.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2354d:$x1: NanoCore Client 0x2355d:$x1: NanoCore Client 0x237a5:$x2: NanoCore.ClientPlugin 0x237e5:$x3: NanoCore.ClientPluginHost 0x2379a:$i1: IClientApp 0x237bb:$i2: IClientData 0x237c7:$i3: IClientNetwork 0x237d6:$i4: IClientAppHost 0x237ff:$i5: IClientDataHost 0x2380f:$i6: IClientLoggingHost 0x23822:$i7: IClientNetworkHost 0x23835:$i8: IClientUIHost 0x23843:$i9: IClientNameObjectCollection 0x2385f:$i10: IClientReadOnlyNameObjectCollection 0x235ac:$s1: ClientPlugin 0x237ae:$s1: ClientPlugin 0x23ca2:$s2: EndPoint 0x23cab:$s3: IPAddress 0x23cb5:$s4: IPEndPoint 0x256eb:$s6: get_ClientSettings 0x25c8f:$s7: get_Connected
1.2.tohjyweui.exe.630000.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2354d:$a: NanoCore 0x2355d:$a: NanoCore 0x23791:$a: NanoCore 0x237a5:$a: NanoCore 0x237e5:$a: NanoCore 0x235ac:$b: ClientPlugin 0x237ae:$b: ClientPlugin 0x237ee:$b: ClientPlugin 0x236d3:$c: ProjectData 0x240da:$d: DESCrypto 0x2baa6:$e: KeepAlive 0x29a94:$g: LogClientMessage 0x25c8f:$i: get_Connected 0x24410:$j: #=q 0x24440:$j: #=q 0x2445c:$j: #=q 0x2448c:$j: #=q 0x244a8:$j: #=q 0x244c4:$j: #=q 0x244f4:$j: #=q 0x24510:$j: #=q
1.2.tohjyweui.exe.630000.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x237e5:$a1: NanoCore.ClientPluginHost 0x237a5:$a2: NanoCore.ClientPlugin 0x256fe:$b1: get_BuilderSettings 0x23601:$b2: ClientLoaderForm.resources 0x24e1e:$b3: PluginCommand 0x237d6:$b4: IClientAppHost 0x2dc56:$b5: GetBlockHash 0x25d56:$b6: AddHostEntry 0x29a49:$b7: LogClientException 0x25cc3:$b8: PipeExists 0x2380f:$b9: IClientLoggingHost
1.2.tohjyweui.exe.643658.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.tohjyweui.exe.643658.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.2.tohjyweui.exe.643658.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.tohjyweui.exe.643658.1.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
1.2.tohjyweui.exe.643658.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
1.2.tohjyweui.exe.643658.1.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
1.2.tohjyweui.exe.630000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1fde5:$x1: NanoCore.ClientPluginHost 0x1fe22:$x2: IClientNetworkHost 0x23955:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.tohjyweui.exe.630000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x1fb5d:$x1: NanoCore Client.exe 0x1fde5:$x2: NanoCore.ClientPluginHost 0x2141e:$s1: PluginCommand 0x21412:$s2: FileCommand 0x222c3:$s3: PipeExists 0x2807a:$s4: PipeCreated 0x1fe0f:$s5: IClientLoggingHost
1.2.tohjyweui.exe.630000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.tohjyweui.exe.630000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1fb4d:$x1: NanoCore Client 0x1fb5d:$x1: NanoCore Client 0x1fda5:$x2: NanoCore.ClientPlugin 0x1fde5:$x3: NanoCore.ClientPluginHost 0x1fd9a:$i1: IClientApp 0x1fdbb:$i2: IClientData 0x1fdc7:$i3: IClientNetwork 0x1fdd6:$i4: IClientAppHost 0x1fdff:$i5: IClientDataHost 0x1fe0f:$i6: IClientLoggingHost 0x1fe22:$i7: IClientNetworkHost 0x1fe35:$i8: IClientUIHost 0x1fe43:$i9: IClientNameObjectCollection 0x1fe5f:$i10: IClientReadOnlyNameObjectCollection 0x1fbac:$s1: ClientPlugin 0x1fdae:$s1: ClientPlugin 0x202a2:$s2: EndPoint 0x202ab:$s3: IPAddress 0x202b5:$s4: IPEndPoint 0x21ceb:$s6: get_ClientSettings 0x2228f:$s7: get_Connected
1.2.tohjyweui.exe.630000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1fb4d:$a: NanoCore 0x1fb5d:$a: NanoCore 0x1fd91:$a: NanoCore 0x1fda5:$a: NanoCore 0x1fde5:$a: NanoCore 0x1fbac:$b: ClientPlugin 0x1fdae:$b: ClientPlugin 0x1fdee:$b: ClientPlugin 0x1fcd3:$c: ProjectData 0x206da:$d: DESCrypto 0x280a6:$e: KeepAlive 0x26094:$g: LogClientMessage 0x2228f:$i: get_Connected 0x20a10:$j: #=q 0x20a40:$j: #=q 0x20a5c:$j: #=q 0x20a8c:$j: #=q 0x20aa8:$j: #=q 0x20ac4:$j: #=q 0x20af4:$j: #=q 0x20b10:$j: #=q
1.2.tohjyweui.exe.630000.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1fde5:$a1: NanoCore.ClientPluginHost 0x1fda5:$a2: NanoCore.ClientPlugin 0x21cfe:$b1: get_BuilderSettings 0x1fc01:$b2: ClientLoaderForm.resources 0x2141e:$b3: PluginCommand 0x1fdd6:$b4: IClientAppHost 0x2a256:$b5: GetBlockHash 0x22356:$b6: AddHostEntry 0x26049:$b7: LogClientException 0x222c3:$b8: PipeExists 0x1fe0f:$b9: IClientLoggingHost
Click to see the 19 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\tohjyweui.exe, ProcessId: 4560, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Snort Signatures

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 45.132.106.37

Timestamp:	192.168.2.545.132.106.374971264452816766 02/06/23-14:12:55.395066
SID:	2816766
Source Port:	49712
Destination Port:	6445
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 45.132.106.37 - Destination IP: 192.168.2.5

Timestamp:	45.132.106.37192.168.2.56445497312841753 02/06/23-14:13:52.517965
SID:	2841753
Source Port:	6445
Destination Port:	49731
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 45.132.106.37

Timestamp:	192.168.2.545.132.106.374970964452816766 02/06/23-14:12:39.702248
SID:	2816766
Source Port:	49709
Destination Port:	6445
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 45.132.106.37 - Destination IP: 192.168.2.5

Timestamp:	45.132.106.37192.168.2.56445497072841753 02/06/23-14:12:33.506820
SID:	2841753
Source Port:	6445
Destination Port:	49707
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 45.132.106.37

Timestamp:	192.168.2.545.132.106.374973564452816766 02/06/23-14:14:08.694757
SID:	2816766
Source Port:	49735
Destination Port:	6445
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 45.132.106.37 - Destination IP: 192.168.2.5

Timestamp:	45.132.106.37192.168.2.56445497202841753 02/06/23-14:13:12.771040
SID:	2841753
Source Port:	6445
Destination Port:	49720
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 45.132.106.37

Timestamp:	192.168.2.545.132.106.374972964452816766 02/06/23-14:13:42.328059
SID:	2816766
Source Port:	49729
Destination Port:	6445
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 45.132.106.37

Timestamp:	192.168.2.545.132.106.374970264452816766 02/06/23-14:12:20.468192
SID:	2816766
Source Port:	49702
Destination Port:	6445
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 45.132.106.37 - Destination IP: 192.168.2.5

Timestamp:	45.132.106.37192.168.2.56445497252841753 02/06/23-14:13:29.137140
SID:	2841753
Source Port:	6445
Destination Port:	49725
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Nanocore Checkin Pattern - Source IP: 192.168.2.5 - Destination IP: 45.132.106.37

Timestamp:	192.168.2.545.132.106.374971164452823337 02/06/23-14:12:50.979729
SID:	2823337
Source Port:	49711
Destination Port:	6445
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keepalive Response 3 - Source IP: 45.132.106.37 - Destination IP: 192.168.2.5

Timestamp:	45.132.106.37192.168.2.56445497202810451 02/06/23-14:13:12.771040
SID:	2810451
Source Port:	6445
Destination Port:	49720
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 45.132.106.37 - Destination IP: 192.168.2.5

Timestamp:	45.132.106.37192.168.2.56445497332841753 02/06/23-14:13:57.153095
SID:	2841753
Source Port:	6445
Destination Port:	49733
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 45.132.106.37 - Destination IP: 192.168.2.5

Timestamp:	45.132.106.37192.168.2.56445497352841753 02/06/23-14:14:08.617792
SID:	2841753
Source Port:	6445
Destination Port:	49735
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 45.132.106.37 - Destination IP: 192.168.2.5

Timestamp:	45.132.106.37192.168.2.56445497362841753 02/06/23-14:14:13.470154
SID:	2841753
Source Port:	6445
Destination Port:	49736
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 45.132.106.37

Timestamp:	192.168.2.545.132.106.374972264452816766 02/06/23-14:13:18.836838
SID:	2816766
Source Port:	49722
Destination Port:	6445
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 45.132.106.37

Timestamp:	192.168.2.545.132.106.374971664452816766 02/06/23-14:12:59.871071
SID:	2816766
Source Port:	49716
Destination Port:	6445
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 45.132.106.37

Timestamp:	192.168.2.545.132.106.374970364452816766 02/06/23-14:12:29.256960
SID:	2816766
Source Port:	49703
Destination Port:	6445
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 45.132.106.37

Timestamp:	192.168.2.545.132.106.374972664452816766 02/06/23-14:13:33.513858
SID:	2816766
Source Port:	49726
Destination Port:	6445
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 45.132.106.37 - Destination IP: 192.168.2.5

Timestamp:	45.132.106.37192.168.2.56445497272841753 02/06/23-14:13:37.915437
SID:	2841753
Source Port:	6445
Destination Port:	49727
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 45.132.106.37 - Destination IP: 192.168.2.5

Timestamp:	45.132.106.37192.168.2.56445497292841753 02/06/23-14:13:42.158315
SID:	2841753
Source Port:	6445
Destination Port:	49729
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 45.132.106.37 - Destination IP: 192.168.2.5

Timestamp:	45.132.106.37192.168.2.56445497022841753 02/06/23-14:12:20.379177
SID:	2841753
Source Port:	6445
Destination Port:	49702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 45.132.106.37 - Destination IP: 192.168.2.5

Timestamp:	45.132.106.37192.168.2.56445497262841753 02/06/23-14:13:33.469565
SID:	2841753
Source Port:	6445
Destination Port:	49726
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 45.132.106.37

Timestamp:	192.168.2.545.132.106.374973364452816766 02/06/23-14:13:57.290193
SID:	2816766
Source Port:	49733
Destination Port:	6445
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 45.132.106.37 - Destination IP: 192.168.2.5

Timestamp:	45.132.106.37192.168.2.56445497012841753 02/06/23-14:12:15.717836
SID:	2841753
Source Port:	6445
Destination Port:	49701
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 45.132.106.37

Timestamp:	192.168.2.545.132.106.374970764452816766 02/06/23-14:12:33.686837
SID:	2816766
Source Port:	49707
Destination Port:	6445
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 45.132.106.37 - Destination IP: 192.168.2.5

Timestamp:	45.132.106.37192.168.2.56445497122841753 02/06/23-14:12:55.336364
SID:	2841753
Source Port:	6445
Destination Port:	49712
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 45.132.106.37 - Destination IP: 192.168.2.5

Timestamp:	45.132.106.37192.168.2.56445497162841753 02/06/23-14:12:59.766454
SID:	2841753
Source Port:	6445
Destination Port:	49716
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 45.132.106.37 - Destination IP: 192.168.2.5

Timestamp:	45.132.106.37192.168.2.56445497192841753 02/06/23-14:13:08.445515
SID:	2841753
Source Port:	6445
Destination Port:	49719
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 45.132.106.37

Timestamp:	192.168.2.545.132.106.374972364452816766 02/06/23-14:13:24.891407
SID:	2816766
Source Port:	49723
Destination Port:	6445
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 45.132.106.37 - Destination IP: 192.168.2.5

Timestamp:	45.132.106.37192.168.2.56445497172841753 02/06/23-14:13:04.143032
SID:	2841753
Source Port:	6445
Destination Port:	49717
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 45.132.106.37 - Destination IP: 192.168.2.5

Timestamp:	45.132.106.37192.168.2.56445497112841753 02/06/23-14:12:50.916490
SID:	2841753
Source Port:	6445
Destination Port:	49711
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 45.132.106.37

Timestamp:	192.168.2.545.132.106.374971764452816766 02/06/23-14:13:04.199805
SID:	2816766
Source Port:	49717
Destination Port:	6445
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 45.132.106.37

Timestamp:	192.168.2.545.132.106.374972764452816766 02/06/23-14:13:37.920388
SID:	2816766
Source Port:	49727
Destination Port:	6445
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 45.132.106.37

Timestamp:	192.168.2.545.132.106.374973064452816766 02/06/23-14:13:48.218570
SID:	2816766
Source Port:	49730
Destination Port:	6445
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon - Source IP: 192.168.2.5 - Destination IP: 45.132.106.37

Timestamp:	192.168.2.545.132.106.374972264452816718 02/06/23-14:13:18.233724
SID:	2816718
Source Port:	49722
Destination Port:	6445
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 45.132.106.37

Timestamp:	192.168.2.545.132.106.374973464452816766 02/06/23-14:14:04.014579
SID:	2816766
Source Port:	49734
Destination Port:	6445
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 45.132.106.37

Timestamp:	192.168.2.545.132.106.374971064452816766 02/06/23-14:12:46.639827
SID:	2816766
Source Port:	49710
Destination Port:	6445
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 45.132.106.37

Timestamp:	192.168.2.545.132.106.374972064452816766 02/06/23-14:13:12.842490
SID:	2816766
Source Port:	49720
Destination Port:	6445
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 45.132.106.37

Timestamp:	192.168.2.545.132.106.374971164452816766 02/06/23-14:12:50.979729
SID:	2816766
Source Port:	49711
Destination Port:	6445
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 45.132.106.37

Timestamp:	192.168.2.545.132.106.374973164452816766 02/06/23-14:13:52.687469
SID:	2816766
Source Port:	49731
Destination Port:	6445
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 45.132.106.37

Timestamp:	192.168.2.545.132.106.374970164452816766 02/06/23-14:12:15.779461
SID:	2816766
Source Port:	49701
Destination Port:	6445
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 45.132.106.37

Timestamp:	192.168.2.545.132.106.374972564452816766 02/06/23-14:13:29.249183
SID:	2816766
Source Port:	49725
Destination Port:	6445
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keepalive Response 1 - Source IP: 45.132.106.37 - Destination IP: 192.168.2.5

Timestamp:	45.132.106.37192.168.2.56445497092810290 02/06/23-14:12:38.309927
SID:	2810290
Source Port:	6445
Destination Port:	49709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 45.132.106.37

Timestamp:	192.168.2.545.132.106.374971964452816766 02/06/23-14:13:08.627802
SID:	2816766
Source Port:	49719
Destination Port:	6445
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon - Source IP: 192.168.2.5 - Destination IP: 45.132.106.37

Timestamp:	192.168.2.545.132.106.374970364452816718 02/06/23-14:12:27.309652
SID:	2816718
Source Port:	49703
Destination Port:	6445
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: lb64Iy4W4e.exe	ReversingLabs: Detection: 41%
Source: lb64Iy4W4e.exe	Virustotal: Detection: 34%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Virustotal: Detection: 29%	Perma Link
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	ReversingLabs: Detection: 23%

Yara detected Nanocore RAT

Source: Yara match	File source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tohjyweui.exe PID: 5884, type: MEMORYSTR

Source: 1.2.tohjyweui.exe.643658.1.raw.unpack

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "d046c01c-51f5-4c8c-b5b9-b566d533", "Group": "", "Domain1": "alertt.duckdns.org", "Domain2": "alertt.duckdns.org", "Port": 6445, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Source: lb64Iy4W4e.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source: lb64Iy4W4e.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: tohjyweui.exe, 00000001.00000003.314559627.000000001A6B0000.00000004.00001000.00020000.00000000.sdmp, tohjyweui.exe, 00000001.00000003.311976529.000000001A840000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: tohjyweui.exe, 00000001.00000003.314559627.000000001A6B0000.00000004.00001000.00020000.00000000.sdmp, tohjyweui.exe, 00000001.00000003.311976529.000000001A840000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\lb64Iy4W4e.exe	Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe	Code function: 0_2_0040699E FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe	Code function: 0_2_0040290B FindFirstFileW,
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009C42E3 FindFirstFileExW,
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009C46CD FindFirstFileExW,FindNextFileW,FindClose,FindClose,

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49701
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49701 -> 45.132.106.37:6445
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49702 -> 45.132.106.37:6445
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49702
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49703 -> 45.132.106.37:6445
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.5:49703 -> 45.132.106.37:6445
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49707
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49707 -> 45.132.106.37:6445
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49709 -> 45.132.106.37:6445
Source: Traffic	Snort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 45.132.106.37:6445 -> 192.168.2.5:49709
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49710 -> 45.132.106.37:6445
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49711
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49711 -> 45.132.106.37:6445
Source: Traffic	Snort IDS: 2823337 ETPRO TROJAN Nanocore Checkin Pattern 192.168.2.5:49711 -> 45.132.106.37:6445
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49712
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49712 -> 45.132.106.37:6445
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49716
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49716 -> 45.132.106.37:6445
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49717
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49717 -> 45.132.106.37:6445
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49719
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49719 -> 45.132.106.37:6445
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49720
Source: Traffic	Snort IDS: 2810451 ETPRO TROJAN NanoCore RAT Keepalive Response 3 45.132.106.37:6445 -> 192.168.2.5:49720
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49720 -> 45.132.106.37:6445
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49722 -> 45.132.106.37:6445
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.5:49722 -> 45.132.106.37:6445
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49723 -> 45.132.106.37:6445
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49725
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49725 -> 45.132.106.37:6445
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49726 -> 45.132.106.37:6445
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49727
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49727 -> 45.132.106.37:6445
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49729
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49729 -> 45.132.106.37:6445
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49730 -> 45.132.106.37:6445
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49731
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49731 -> 45.132.106.37:6445
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49733
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49733 -> 45.132.106.37:6445
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49734 -> 45.132.106.37:6445
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49735
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49735 -> 45.132.106.37:6445
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49736

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: alertt.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: alertt.duckdns.org

Source: Joe Sandbox View

ASN Name: ON-LINE-DATAServerlocation-NetherlandsDrontenNL ON-LINE-DATAServerlocation-NetherlandsDrontenNL

Source: global traffic

TCP traffic: 192.168.2.5:49701 -> 45.132.106.37:6445

Source: lb64Iy4W4e.exe

String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: unknown

DNS traffic detected: queries for: alertt.duckdns.org

Source: tohjyweui.exe, 00000001.00000002.320375242.00000000006BA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\lb64Iy4W4e.exe

Code function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tohjyweui.exe PID: 5884, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: tohjyweui.exe PID: 5884, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: tohjyweui.exe PID: 5884, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: tohjyweui.exe PID: 5884, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown

Source: lb64Iy4W4e.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: tohjyweui.exe PID: 5884, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: tohjyweui.exe PID: 5884, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: tohjyweui.exe PID: 5884, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23

Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 632

Source: C:\Users\user\Desktop\lb64Iy4W4e.exe

Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

Source: C:\Users\user\Desktop\lb64Iy4W4e.exe	Code function: 0_2_00406D5F
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Code function: 1_2_009D00A7
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Code function: 1_2_009F78A4
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Code function: 1_2_009CE8A2
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Code function: 1_2_009CF9B4
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Code function: 1_2_009B59D3
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Code function: 1_2_009E11E1
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Code function: 1_2_009CF289
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Code function: 1_2_009D0BA1
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Code function: 1_2_009CEBEA
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Code function: 1_2_009D041B
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Code function: 1_2_009CFD42
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Code function: 1_2_009CF617
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Code function: 1_2_009D0780
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Code function: 1_2_009D0FD1
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Code function: 1_2_009EFF1F
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Code function: 1_2_009EEF20
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Code function: 1_2_009CEF41
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Code function: 1_2_00600F9C
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Code function: 1_2_00601247
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009B00A7
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009B041B
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009B0780
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009AE8A2
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009DAA75
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009B0BA1
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009AEBEA
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009B0FD1
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009CEF20
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009C8F5E
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009AEF41
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009DAF71
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009C11E1
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009AF289
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009DB389
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009CF430
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009AF617
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009DB7BE
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009D78A4
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009CF870
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009AF9B4
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009959D3
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009DBBF3
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009CDB32
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009AFD42
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009CFF1F

Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Code function: String function: 009B33C0 appears 32 times
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: String function: 009BE6D6 appears 54 times
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: String function: 009C6B49 appears 33 times
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: String function: 009933C0 appears 69 times

Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe

Code function: 1_2_009B1150 OpenSCManagerW,OpenServiceW,DeleteService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,CloseServiceHandle,

Source: lb64Iy4W4e.exe	ReversingLabs: Detection: 41%
Source: lb64Iy4W4e.exe	Virustotal: Detection: 34%

Source: C:\Users\user\Desktop\lb64Iy4W4e.exe

File read: C:\Users\user\Desktop\lb64Iy4W4e.exe

Jump to behavior

Source: lb64Iy4W4e.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\lb64Iy4W4e.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\lb64Iy4W4e.exe C:\Users\user\Desktop\lb64Iy4W4e.exe
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe	Process created: C:\Users\user\AppData\Local\Temp\tohjyweui.exe "C:\Users\user\AppData\Local\Temp\tohjyweui.exe" C:\Users\user\AppData\Local\Temp\fwbfw.c
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process created: C:\Users\user\AppData\Local\Temp\tohjyweui.exe C:\Users\user\AppData\Local\Temp\tohjyweui.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe "C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe" "C:\Users\user\AppData\Local\Temp\tohjyweui.exe" C:\Users\user\A
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 632
Source: unknown	Process created: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe "C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe" "C:\Users\user\AppData\Local\Temp\tohjyweui.exe" C:\Users\user\A
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5408 -s 604
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe	Process created: C:\Users\user\AppData\Local\Temp\tohjyweui.exe "C:\Users\user\AppData\Local\Temp\tohjyweui.exe" C:\Users\user\AppData\Local\Temp\fwbfw.c
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process created: C:\Users\user\AppData\Local\Temp\tohjyweui.exe C:\Users\user\AppData\Local\Temp\tohjyweui.exe

Source: C:\Users\user\Desktop\lb64Iy4W4e.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Users\user\Desktop\lb64Iy4W4e.exe

Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe

File created: C:\Users\user\AppData\Roaming\swschqavfbk

Jump to behavior

Source: C:\Users\user\Desktop\lb64Iy4W4e.exe

File created: C:\Users\user\AppData\Local\Temp\nsj2A95.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/17@24/1

Source: C:\Users\user\Desktop\lb64Iy4W4e.exe

Code function: 0_2_004021AA CoCreateInstance,

Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Code function: OpenSCManagerW,GetSystemDirectoryW,lstrcpyW,CreateServiceW,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: OpenSCManagerW,GetSystemDirectoryW,lstrcpyW,CreateServiceW,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,

Source: C:\Users\user\Desktop\lb64Iy4W4e.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\lb64Iy4W4e.exe

Code function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5716
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5408
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{d046c01c-51f5-4c8c-b5b9-b566d533dece}

Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: GetTickCount
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: Kernel32.dll
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: Sleep
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: Kernel32.dll
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: VirtualAlloc
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: Kernel32.dll
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: Embedding
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: regserver
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: unregserver
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: unregister
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: unreg
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: package
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: ACTION=ADMIN
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: uninstall
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: update
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: uiet
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: passive
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: help
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: REMOVE=ALL
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: REMOVE=ALL
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: @uv
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: GetTickCount
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: Kernel32.dll
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: Sleep
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: Kernel32.dll
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: VirtualAlloc
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: Kernel32.dll
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: Embedding
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: regserver
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: unregserver
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: unregister
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: unreg
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: package
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: ACTION=ADMIN
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: uninstall
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: update
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: uiet
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: passive
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: help
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: REMOVE=ALL
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: REMOVE=ALL
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Command line argument: @uv

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source: lb64Iy4W4e.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: tohjyweui.exe, 00000001.00000003.314559627.000000001A6B0000.00000004.00001000.00020000.00000000.sdmp, tohjyweui.exe, 00000001.00000003.311976529.000000001A840000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: tohjyweui.exe, 00000001.00000003.314559627.000000001A6B0000.00000004.00001000.00020000.00000000.sdmp, tohjyweui.exe, 00000001.00000003.311976529.000000001A840000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Code function: 1_2_009B3406 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Code function: 1_2_009F8EBD push ecx; ret
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009D8EBD push ecx; ret
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_00993406 push ecx; ret

Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe

Code function: 1_2_009B1C00 LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,Sleep,VirtualAlloc,__fread_nolock,#17,GetCommandLineW,lstrlenW,lstrlenW,lstrlenW,#169,ExitProcess,lstrlenW,lstrlenW,#141,lstrlenW,CLSIDFromString,#190,#88,#88,#6,#175,FreeLibrary,

Source: C:\Users\user\Desktop\lb64Iy4W4e.exe	File created: C:\Users\user\AppData\Local\Temp\tohjyweui.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	File created: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run luqajfoxt			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run luqajfoxt			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe

File opened: C:\Users\user\AppData\Local\Temp\tohjyweui.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\lb64Iy4W4e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe TID: 5536	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe TID: 5496	Thread sleep time: -40000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe TID: 5512	Thread sleep time: -840000s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Window / User API: threadDelayed 403
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Window / User API: foregroundWindowGot 835
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Window / User API: foregroundWindowGot 778

Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe

API coverage: 4.9 %

Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe

Code function: 1_2_00600EBF GetSystemInfo,

Source: C:\Users\user\Desktop\lb64Iy4W4e.exe	Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe	Code function: 0_2_0040699E FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe	Code function: 0_2_0040290B FindFirstFileW,
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009C42E3 FindFirstFileExW,
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009C46CD FindFirstFileExW,FindNextFileW,FindClose,FindClose,

Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\lb64Iy4W4e.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe

Code function: 1_2_009B3171 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe

Code function: 1_2_009B18C0 MultiByteToWideChar,lstrlenW,GetProcessHeap,HeapAlloc,MultiByteToWideChar,GetThreadLocale,CompareStringW,GetProcessHeap,HeapFree,

Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe

Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Code function: 1_2_009D9BCC mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Code function: 1_2_009E6DA6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Code function: 1_2_0060005F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Code function: 1_2_0060017B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Code function: 1_2_0060013E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Code function: 1_2_00600109 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009C6BBA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009C6BFD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009C6B77 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009C6C58 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009C6DA6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009C6DD7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009C6D1E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009C6D62 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009B9BCC mov ecx, dword ptr fs:[00000030h]

Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Code function: 1_2_009B3171 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Code function: 1_2_009B35EF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	Code function: 1_2_009DCE64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_00993306 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009BCE64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_00993171 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: 3_2_009935EF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe

Section loaded: unknown target: C:\Users\user\AppData\Local\Temp\tohjyweui.exe protection: execute and read and write

Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe

Process created: C:\Users\user\AppData\Local\Temp\tohjyweui.exe C:\Users\user\AppData\Local\Temp\tohjyweui.exe

Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,

Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe

Code function: 1_2_009B341B cpuid

Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe

Code function: 1_2_009B3046 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Source: C:\Users\user\Desktop\lb64Iy4W4e.exe

Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tohjyweui.exe PID: 5884, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: tohjyweui.exe, 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp

String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tohjyweui.exe PID: 5884, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	11 Windows Service	1 Access Token Manipulation	1 Disable or Modify Tools	1 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	11 Native API	1 Registry Run Keys / Startup Folder	11 Windows Service	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	111 Process Injection	2 Obfuscated Files or Information	Security Account Manager	26 System Information Discovery	SMB/Windows Admin Shares	1 Clipboard Data	Automated Exfiltration	1 Remote Access Software	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	1 Service Execution	Logon Script (Mac)	1 Registry Run Keys / Startup Folder	1 Masquerading	NTDS	13 Security Software Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	21 Virtualization/Sandbox Evasion	LSA Secrets	1 Process Discovery	SSH	Keylogging	Data Transfer Size Limits	21 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Access Token Manipulation	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	111 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Files and Directories	Proc Filesystem	1 Remote System Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
lb64Iy4W4e.exe	41%	ReversingLabs	Win32.Trojan.Nemesis
lb64Iy4W4e.exe	35%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\tohjyweui.exe	23%	ReversingLabs	Win32.Trojan.Pwsx
C:\Users\user\AppData\Local\Temp\tohjyweui.exe	29%	Virustotal		Browse
C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe	23%	ReversingLabs	Win32.Trojan.Pwsx

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
alertt.duckdns.org	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
alertt.duckdns.org	0%	Avira URL Cloud	safe
alertt.duckdns.org	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
alertt.duckdns.org	45.132.106.37	true	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
alertt.duckdns.org	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_ErrorError	lb64Iy4W4e.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.132.106.37	alertt.duckdns.org	Ukraine		204601	ON-LINE-DATAServerlocation-NetherlandsDrontenNL	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	799403
Start date and time:	2023-02-06 14:11:08 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 17s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	lb64Iy4W4e.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@9/17@24/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.2% (good quality ratio 96.5%) Quality average: 87.9% Quality standard deviation: 23.3%
HCA Information:	Successful, ratio: 90% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
TCP Packets have been reduced to 100
Excluded IPs from analysis (whitelisted): 52.168.117.173, 104.208.16.94
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, client.wns.windows.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, watson.telemetry.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:12:13	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run luqajfoxt C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe "C:\Users\user\AppData\Local\Temp\tohjyweui.exe" C:\Users\user\A
14:12:14	API Interceptor	941x Sleep call for process: tohjyweui.exe modified
14:12:21	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run luqajfoxt C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe "C:\Users\user\AppData\Local\Temp\tohjyweui.exe" C:\Users\user\A
14:12:30	API Interceptor	2x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_tpyienirbwgp.exe_491668454d7886d02c78a9f3324eec6e9b560bc_bb377917_0f868df3\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.929195913406343
Encrypted:	false
SSDEEP:	96:P5F7FbJUSjhRB70sSYpXIQcQmc6ycE8cw3yo++HbHgH3qTP+aVDPMbspoxGfnFhy:hJFbaoHY2GWoPjAQ+t/u7sFS274ItS
MD5:	96F6FB1E217DD003DCE5D7238773460B
SHA1:	89EAE1F997D7756D0AAEC192DE81E69178E6A4AF
SHA-256:	8C67EC275CAAFC86880994975244BCC733DD7348C732D69653E4F0C6E21279DC
SHA-512:	8CE3A7D0FE251B4B304FE130FEDEB9FC8C6D9580F0074C765968A5165D4030B0DE8D52B8A394FFCCC1760162AA4114F07E7CEA6DD3E6FB83F43D0C68BF465B9A
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.0.1.9.5.1.5.1.3.1.3.7.4.4.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.0.1.9.5.1.5.2.3.1.3.7.4.6.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.b.c.f.c.8.1.3.-.1.b.6.1.-.4.3.f.7.-.9.a.d.6.-.c.0.e.b.a.3.6.2.8.a.6.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.d.6.a.5.e.9.2.-.5.1.2.b.-.4.9.9.0.-.b.8.7.f.-.4.1.1.f.6.d.f.8.7.b.3.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.t.p.y.i.e.n.i.r.b.w.g.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.2.0.-.0.0.0.1.-.0.0.1.9.-.c.b.f.6.-.8.d.1.a.7.8.3.a.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.9.9.9.7.9.3.0.a.d.5.0.c.9.7.0.a.4.8.1.9.d.0.0.b.5.f.6.d.3.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.4.6.3.c.4.5.e.1.a.d.c.2.2.6.9.4.5.6.e.1.8.b.6.b.d.4.7.e.5.2.1.5.0.1.d.1.f.5.9.3.!.t.p.y.i.e.n.i.r.b.w.g.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_tpyienirbwgp.exe_491668454d7886d02c78a9f3324eec6e9b560bc_bb377917_156a7e34\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9362570845292987
Encrypted:	false
SSDEEP:	192:VJNOFbaUHY2GWoPjtLIa/u7sFS274ItS:JOBacY2GFPjL/u7sFX4ItS
MD5:	2CBF5D2E716A4E2B5C6D278FE380657F
SHA1:	384DF552BA7C4BCB6AF9CEA2CA8D41C9F7A35C75
SHA-256:	296B9F299B3257C40397466A884CD0192583A8E96E768E42B1159C02C36CB1ED
SHA-512:	9A18CAA5753D47D557BABC07D0FF4D73590B22EF179AD8CBF90D309901F3D794F4A7D615EDE8F1B04A258752B4A486EAF9A7803B36E8A6FCD3AB7F734D181DC6
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.0.1.9.5.1.4.7.3.1.1.0.2.2.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.0.1.9.5.1.4.8.4.5.1.6.6.6.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.a.b.6.0.4.e.0.-.f.e.9.9.-.4.0.7.8.-.8.3.b.1.-.7.3.8.6.7.4.3.8.2.9.2.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.2.5.4.e.f.8.5.-.0.c.8.0.-.4.6.2.2.-.b.e.4.8.-.a.4.a.0.9.4.c.1.a.f.d.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.t.p.y.i.e.n.i.r.b.w.g.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.5.4.-.0.0.0.1.-.0.0.1.9.-.1.6.b.6.-.9.9.1.5.7.8.3.a.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.9.9.9.7.9.3.0.a.d.5.0.c.9.7.0.a.4.8.1.9.d.0.0.b.5.f.6.d.3.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.4.6.3.c.4.5.e.1.a.d.c.2.2.6.9.4.5.6.e.1.8.b.6.b.d.4.7.e.5.2.1.5.0.1.d.1.f.5.9.3.!.t.p.y.i.e.n.i.r.b.w.g.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7318.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Feb 6 22:12:27 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	40600
Entropy (8bit):	1.9089113720969164
Encrypted:	false
SSDEEP:	96:5q8GF8v/U/Ah+YSWsVnQH5mFC8cTi72icnus9ikoOuFJwQcv/DhP8st2S+OzbBPI:HLuAcPWsVQszCO2iQJNPzBPbrmsBmw7W
MD5:	524916739B17C605C2740855D1E7EC09
SHA1:	82283EE20177E916CDDCDA1AB1D044DEE085ED18
SHA-256:	53AB2B99083581BDC2B0F0A67B2E1458CE34B129E0FA4EF5D5604E956F2295C9
SHA-512:	AFF9E00E7827410D569BAE50D45E1A82EBCA1C67E53E89208BFC1181245985EB5F9C6C63C248EFE7BB00D89A3AFD7738F806FB1FBA27CE09C52ACEC8AC8AA211
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......K{.c........................................\-..........T.......8...........T............................................................................................................U...........B...... .......GenuineIntelW...........T.......T...E{.c............................. ..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER756B.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8368
Entropy (8bit):	3.690412367634023
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiy46O6YBSDSUfgmfjSzo2CpDo89bDYsfohm:RrlsNit6O6YB2SUfgmfjSszDLfT
MD5:	69B0AF479D657FA1AAB1F5B1D5D8A6B3
SHA1:	F64ED0D7D6779D2A6836CC4A3978825DC198D0A7
SHA-256:	ADB3A01ABACCDEBF58B337E58D3A4037125DD6783878C2118AF5FFC690EA2BE8
SHA-512:	6282615E7949977026F11FA8BDB42E396D20ACAC5DFFA8F4ED917027F4B4C1D5F1FDF47AEB97720BEB77985D8DFF70EA797E0902FDED85483EAB889B0016F169
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.1.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER75D9.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4678
Entropy (8bit):	4.428640371795023
Encrypted:	false
SSDEEP:	48:cvIwSD8zsCJgtWI9ZlWgc8sqYj68fm8M4JatkFg+q8vJtp/xl9d:uITfQSUgrsqYDJyVKPp/xl9d
MD5:	0443A3F9E4C64F2076E63D871398340F
SHA1:	DF2AA90A48BD110ECA2562CF67A1F259FD2053D3
SHA-256:	C8550EC9C0DD614286C9284299C53AC51A7C0AA5D53092D213A36D7170BA88AB
SHA-512:	56152EB1ACA2F4D37C1532AF2818517619B23502DC8CE13669A699CA7B089433E48E5D1C15197EE39D34DD638152707EC254A15B5C87AAC45D72329204C6D112
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1901243" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER82C8.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Feb 6 22:12:31 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	44156
Entropy (8bit):	1.878369031530301
Encrypted:	false
SSDEEP:	192:r5dlzYMjVOKpaOhRdc3Eb90iOif7hUOO+HGo:DlWKp9Rdc0bmKf/Go
MD5:	74158FB4A4C5D428524DFA57C800160F
SHA1:	91FD89B3502EBE8AA35D27A485D9E0AF8D2FB845
SHA-256:	68269F2E6CF5C585DA44D8A6E5E817305A803C12566634C500E22FD3A4BF1445
SHA-512:	EE80D93998D256257F44D1A93F78F92D62C62C9CEA65CBB5472809E2BDBB1B2E954128674F73147CF1B76480068337AFE9A799EDC2BA906C9EE6F5AF410B75B8
Malicious:	false
Preview:	MDMP....... .......O{.c........................................./..........T.......8...........T...........................`...........L....................................................................U...........B..............GenuineIntelW...........T....... ...N{.c............................. ..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER84BD.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8362
Entropy (8bit):	3.6903200268418375
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi2o6n6YBSUSUDgmfjSzo2CpDH89bUisfjv8m:RrlsNip6n6YBBSUDgmfjSsuUhf1
MD5:	E99E5C0BB9E7AD97E9C5EA642B80D6D9
SHA1:	E651F6215134C7A52E51C7707ADEA8F66825ABFF
SHA-256:	A165CD0C9C52EDD8B366FFE6E55E476A33C5E74327197C8B773CBBD966428206
SHA-512:	069B867E69BAFF255261CE33AF1A4A6452212EBF022D117799C7EA4ADF60C14BCEEFB9FC0CD7FFFBF7014E69E2227783E76E3553F8A88CD4E55271AA45840763
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.0.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER84EC.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4678
Entropy (8bit):	4.430634465003027
Encrypted:	false
SSDEEP:	48:cvIwSD8zsCJgtWI9ZlWgc8sqYj88fm8M4JatkFg+q8vJt3/xl1d:uITfQSUgrsqYNJyZKP3/xl1d
MD5:	B02A5A7D16E8340BF24765A193DDDC9E
SHA1:	3A95D434E11165CFBF295BF5913A1F3AD6909C35
SHA-256:	C70ABF707A46B301967A1C419BF7D35D0334B68DC007A2D7CC10E710EABF22AA
SHA-512:	F12581E96D7AD20C3C5583A3D7FEDCD1A0C691A128055F96385F910A994BCB7005B80486D7B2E433357F91B081AA587811E50FFA4EB90690FF5559354B318FFD
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1901243" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Temp\fwbfw.c

Download File

Process:	C:\Users\user\Desktop\lb64Iy4W4e.exe
File Type:	data
Category:	dropped
Size (bytes):	8143
Entropy (8bit):	7.188238050975561
Encrypted:	false
SSDEEP:	192:darcitQvArWiPvQcb9RuplmxcX/sCbFn/u/hhgv6LLtNI7ypzV:uCYrNPvQeAmaECbV+m69NI7q
MD5:	347856D905BEEA5827F7395DDD77048D
SHA1:	9D6D5347AE1CF53C2D187398FDB0CAB438F991C9
SHA-256:	66B1F21A3BE5DAFCCFEF6CFEA835A488608FC471E9AC0D559D84CC4858CE683F
SHA-512:	E9BC2FF8EAAA97F2DD39F76BF9C266DFE68CAB1CDA220237D87D020B2E90F8650EF1E66332E18135B8F809914048AA73B2BEC218B1379904E84E0D78C3D6549C
Malicious:	false
Preview:	.705m..f.F<...05o.:......?v>.3.3.<......M.knl.02a..c.E<...42c. ......4.D63.6.3.?.....E.gni.53P..805.p8.q?.2.8.u .a..beabo.H0..v..v.@3.`..i/7.p.6.t(2..g.}.u<..G-.0.3.h.f....w8L$.m.r.D;F...okc..m.;4.q.?.<@.4.0...m..u<f...@%.`4..D'd.O$..A5..=..<r..4M.knl.82a..Q..401ec.t4.M4...D;.D..d580..E9....E....3.u.mje.18e..`W..480.x<.p=.4.4.p-P..6.c.!....D%.\|.eX.....+..t..0....e.a..`beP..580.p=.t>.8.5.p,XE..Md.....M9..e...@4......F1..u.\|c.....Lq.}<...v<+480.}<;.&<.>..r.^.q8F0....q.^.q8F0...^..M...3uc.....}<F...kloe.=8e....aboZf`Z\V.v...`ZYaZCV.v.j^YV.}.lZAU.w.`Z\^.q.iY.T.}.m^.q.[WlT.}....i.W.y.R.}.^.y.W.q.......XW..Mc.....\7!.K.y.a..`.....Z...Jo.......\GB.Gg.u......X.B.Kg.v......Pp..Nd.w.....\...Ke.}.....Y...Ko.p......G8.u....0<..480fP.401Y7a^?X580..D;.g.....A4...Tgn.`...G.X0P0.80..3cg.a.p0..D.`...igen.a..@.b.e.kX.013^3gR7]804p.F8.a.c..q.ad.G<n.`..D2..qb.e...knj..o.00`...)ecXg`Z]^.q.iYXk^OV.}.lZPU.w.`ZE^.q.iY]T.}.mR.R.t.lT.}._\hR.t...R.}.^.y.W.y.R.u......ZR..Jo....\5$.O

C:\Users\user\AppData\Local\Temp\nsj2A96.tmp

Download File

Process:	C:\Users\user\Desktop\lb64Iy4W4e.exe
File Type:	data
Category:	dropped
Size (bytes):	698028
Entropy (8bit):	7.460862363180337
Encrypted:	false
SSDEEP:	12288:57EOGOwPPrn9SfU+7cCxbOXnKO9tWYI0D9bhoK1j/HD03n1zvPF:57AOwPTU8WbGTtWYI0D9bho2D031zvP
MD5:	EF267C2426AD12867472601EE299537D
SHA1:	A7311F5C90CD1F31F5410A810558FB6242DE5A01
SHA-256:	CBC0231A9AD35A20F279FD0E38093D3DFD0DD6FFE6C276FAD5AE945064E539CC
SHA-512:	CC031C7E2DB6D86B7D3AE6311745E228142C33CB1DBE2EB69593C780CC2484DFB2B669ACE9DBCB05E143A389647CD118450A4490971D24A1616AB9B1BB1EB393
Malicious:	false
Preview:	z-......,...................m............,......z-.............................................................................."...........................................................................................................................................................G...............g...j...............................................................................................................................2...........7...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tohjyweui.exe

Download File

Process:	C:\Users\user\Desktop\lb64Iy4W4e.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	370176
Entropy (8bit):	6.615303914837989
Encrypted:	false
SSDEEP:	6144:MWYtu0D9bhoKSoj/QED03mc8+z1zQpb+g4ZeMF:MWYI0D9bhoK1j/HD03n1zvPF
MD5:	64517EEC55E1F3C392B63B73D833E5F9
SHA1:	463C45E1ADC2269456E18B6BD47E521501D1F593
SHA-256:	91E93FF76C34BEB61A02F782558C8FF319558B63E008580EB567DD927663E19C
SHA-512:	E14FAF62CAE49174D895C6552E40FA54038BF46B350C6799938129E60F487F226260A5E3C23996BAF466494D5713A01612454F8C2334E581730CE5C1AE4A56A0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 23% Antivirus: Virustotal, Detection: 29%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%..a..a..a.....k...........u.....r.....B.....s.....v..a........`...Y.`.....`..Richa..........PE..L......c............................V,............@.......................................@.................................@z..................................0$...h...............................h..@...............\|............................text...+........................... ..`.rdata..............................@..@.data................r..............@....gfids...............\|..............@..@.rsrc................~..............@..@.reloc..0$.......&..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tqtdb.c

Download File

Process:	C:\Users\user\Desktop\lb64Iy4W4e.exe
File Type:	data
Category:	dropped
Size (bytes):	308051
Entropy (8bit):	7.986580869538692
Encrypted:	false
SSDEEP:	6144:blfN7EA/J3IlnuTtuZd5BCkrSa195056sU+OwHu7sdkwb/mXY:X7EOGOwPPrn9SfU+7cCxbOXY
MD5:	12A293C8002A21714974ED14512456C4
SHA1:	5CFDA98DDB30ED52F34740D33B8197B3447C71A5
SHA-256:	30158501D83CB7C1453D281A51B6F192695E03EE5C90E0642B3EA273FE10BAAA
SHA-512:	C29B0E3F084E170665196E0E2D1D137F5376D8ECAC8BB786BFCB314DCCA6E9B91D3BD408C0F2CD4B165E4184E7FA5CB057C823E3313B71766B07B21BA5DB2B3E
Malicious:	false
Preview:	.<.Rw.......7... .J...J!....R.F&.....I.J./..O./.kN... .#.;..>e.E./.F...`7...]p./.3D..Z6.....}...=.@wI...g-....:..n.K...<...e.Y(R`p.V....^.....dL....W.dXz. ..2+.a.G..l....j...FJ.{.'..:............gWIr.M .nO.;.[..I..J......t..@E..P.h.......w..N.....\|..J.J...^!..;..~I..p...I(../..O...kN... `#.L..>.../...hX..<...7.8....W..D#l.\|G.v_p(lr[..V.[VW...s4.u....nSK...h.H.....~.....(;.Ws@.......~.)0z.......{7...ACG...T7.\....U.U5p.[9_Y..e...h...(.bPVw.x.}...r..7.s..&....z.0..M.(m..P.h...p...uw...*...\|...z .J...^!....R.F&.5..v\|..e.d.O]..kN... .#.L..>.P../a..zX.......g'#c..W1..D#;.\|G_v_.~.)[.}V..VW...sm.u.Vop.sK....H..;..A...(;k.s!.'......)Iz.......{7...AC&...k7.\....U.U5p.[9_Y..e...h....7b/Vw.x.}...r....s/3.&....z.0..M.(m..P.h.......w..!....0.... .J...^!....R.F&.....I.J./..O./.kN... .#.L..>.P../a..zX..<.....8....W.#.D#..\|G.v_.(l)[.}V..VW...s4.u....n.K...h.H.........(;k.s!.'.....~.)0z.......{7...AC&...k7.\....U.U5p.[9_Y..e...h....7b/Vw.x.}...r....s/3.&

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\tohjyweui.exe
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	7.024371743172393
Encrypted:	false
SSDEEP:	6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
MD5:	32D0AAE13696FF7F8AF33B2D22451028
SHA1:	EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
SHA-256:	5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
SHA-512:	1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\tohjyweui.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:s5tn:At
MD5:	51FACF24B75B12CFB8F7B2FB57DA4C58
SHA1:	348477F51F4AA4EF999B743333CE5FDECCF76FB2
SHA-256:	C3AC357375B798C399E6BEF38CD7C254246A6EAB64B0FFF5C163CE385607568C
SHA-512:	B3812D6378CBA61C5504166B2997026494AE6513EA0F56E7952E97BAC8AAA6639359F72B680097714ED5E0F4495B95913B32F6EE39E3F1B0E5D4785758E3CF7F
Malicious:	true
Preview:	...3...H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin

Download File

Process:	C:\Users\user\AppData\Local\Temp\tohjyweui.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	5.221928094887364
Encrypted:	false
SSDEEP:	3:9bzY6oRDMjmPl:RzWDMCd
MD5:	AE0F5E6CE7122AF264EC533C6B15A27B
SHA1:	1265A495C42EED76CC043D50C60C23297E76CCE1
SHA-256:	73B0B92179C61C26589B47E9732CE418B07EDEE3860EE5A2A5FB06F3B8AA9B26
SHA-512:	DD44C2D24D4E3A0F0B988AD3D04683B5CB128298043134649BBE33B2512CE0C9B1A8E7D893B9F66FBBCDD901E2B0646C4533FB6C0C8C4AFCB95A0EFB95D446F8
Malicious:	false
Preview:	9iH...}Z.4..f..... 8.j....\|.&X..e.F.*.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\tohjyweui.exe
File Type:	data
Category:	dropped
Size (bytes):	426840
Entropy (8bit):	7.999608491116724
Encrypted:	true
SSDEEP:	12288:zKf137EiDsTjevgA4p0V7njXuWSvdVU7V4OC0Rr:+134i2lp67i5d8+OCg
MD5:	963D5E2C9C0008DFF05518B47C367A7F
SHA1:	C183D601FABBC9AC8FBFA0A0937DECC677535E74
SHA-256:	5EACF2974C9BB2C2E24CDC651C4840DD6F4B76A98F0E85E90279F1DBB2E6F3C0
SHA-512:	0C04E1C1A13070D48728D9F7F300D9B26DEC6EC8875D8D3017EAD52B9EE5BDF9B651A7F0FCC537761212831107646ED72B8ED017E7477E600BC0137EF857AE2C
Malicious:	false
Preview:	..g&jo...IPg...GM....R>i...o...I.>.&.r{....8...}...E....v.!7.u3e.. .....db...}.......".t(.xC9.cp.B....7...'.......%......w.^.._.......B.W%.<..i.0.{9.xS...5...)..w..$..C..?`F..u.5.T.X.w'Si..z.n{...Y!m...RA...xg....[7...z..9@.K.-...T..+.ACe....R....enO.....AoNMT.\^....}H&..4I...B.:..@..J...v..rI5..kP......2j....B..B.~.T..>.c..emW;Rn<9..[.r.o....R[....@=...:...L.g<.....I..%4[.G^.~.l'......v.p&.........+..S...9d/.{..H.`@.1..........f.\s...X.a.].<.h...J4...k.x....%3.......3.c..?%....>.!.}..)(.{...H...3..`'].Q.[sN..JX(.%pH....+......(...v.....H...3..8.a_..J..?4...y.N(..D.h..g.jD..I...44Q?..N......oX.A......l...n?./..........$.!..;.^9"H...........OkF....v.m_.e.v..f...."..bq{.....O.-....%R+...-..P.i..t5....2Z# ...#...,L..{..j..heT -=Z.P;...g.m)<owJ].J..../.p..8.u8.&..#.m9...j%..g&....g.x.I,....u.[....>./W...........X...bZ...ex.0..x.}.....Tb...[..H_M._.^N.d&...g._."@4N.pDs].GbT.......&p........Nw...%$=.....{..J.1....2....<E{..<!G..

C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\tohjyweui.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	370176
Entropy (8bit):	6.615303914837989
Encrypted:	false
SSDEEP:	6144:MWYtu0D9bhoKSoj/QED03mc8+z1zQpb+g4ZeMF:MWYI0D9bhoK1j/HD03n1zvPF
MD5:	64517EEC55E1F3C392B63B73D833E5F9
SHA1:	463C45E1ADC2269456E18B6BD47E521501D1F593
SHA-256:	91E93FF76C34BEB61A02F782558C8FF319558B63E008580EB567DD927663E19C
SHA-512:	E14FAF62CAE49174D895C6552E40FA54038BF46B350C6799938129E60F487F226260A5E3C23996BAF466494D5713A01612454F8C2334E581730CE5C1AE4A56A0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 23%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%..a..a..a.....k...........u.....r.....B.....s.....v..a........`...Y.`.....`..Richa..........PE..L......c............................V,............@.......................................@.................................@z..................................0$...h...............................h..@...............\|............................text...+........................... ..`.rdata..............................@..@.data................r..............@....gfids...............\|..............@..@.rsrc................~..............@..@.reloc..0$.......&..................@..B........................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.396277761181723
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	lb64Iy4W4e.exe
File size:	663392
MD5:	4c7df43e37814754ad1c8a97ab971af8
SHA1:	c2315cba4dc175554869cf1c7d7b4ddfdb65adea
SHA256:	49cc6f25d16cf7c85d218bcd4ecbdedce0f5d4540bc5099436511291f48a3976
SHA512:	635c6f4c3d20a691cadae02d8f857d6aa37775b1d55302c59498e0ace80152413be2f0fd22b328db96ed41e381868f9c026f5176b430ba5e969dba8347f3d8a3
SSDEEP:	12288:3YueB8OT4Q9HIbbir1vIm4KQH/HxCl9KOlOMyhiZq+zeRZA7Y1g9R:3YPT4Q9HHr1vIRCLShqq+FL
TLSH:	74E402247A10C56FCA905BB84EA5E3B457B0EE5D3E549F0B63E03FBFBDB91915908220
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................h...*.....

File Icon


Icon Hash:	f2d29cccdcdcccdc

Static PE Info

General

Entrypoint:	0x403640
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x614F9B1F [Sat Sep 25 21:56:47 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	61259b55b8912888e90f516ca08dc514

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 000003F4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [ebp-14h], ebx
mov dword ptr [ebp-04h], 0040A230h
mov dword ptr [ebp-10h], ebx
call dword ptr [004080C8h]
mov esi, dword ptr [004080CCh]
lea eax, dword ptr [ebp-00000140h]
push eax
mov dword ptr [ebp-0000012Ch], ebx
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-00000140h], 0000011Ch
call esi
test eax, eax
jne 00007FAD50A616FAh
lea eax, dword ptr [ebp-00000140h]
mov dword ptr [ebp-00000140h], 00000114h
push eax
call esi
mov ax, word ptr [ebp-0000012Ch]
mov ecx, dword ptr [ebp-00000112h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [ebp-26h], 00000004h
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-0000013Ch], 0Ah
jnc 00007FAD50A616CAh
and word ptr [ebp-00000132h], 0000h
mov eax, dword ptr [ebp-00000134h]
movzx ecx, byte ptr [ebp-00000138h]
mov dword ptr [0042A318h], eax
xor eax, eax
mov ah, byte ptr [ebp-0000013Ch]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [ebp-2Ch]
movzx ecx, cx
shl eax, 10h
or eax, ecx

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3b000	0x32e60	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6676	0x6800	False	0.6568134014423077	data	6.4174599871908855	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x139a	0x1400	False	0.4498046875	data	5.141066817170598	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20378	0x600	False	0.509765625	data	4.110582127654237	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x10000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3b000	0x32e60	0x33000	False	0.4702914368872549	data	5.337142337075559	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x3b358	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States
RT_ICON	0x4bb80	0xaac8	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x56648	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States
RT_ICON	0x5faf0	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States
RT_ICON	0x64f78	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States
RT_ICON	0x691a0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States
RT_ICON	0x6b748	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States
RT_ICON	0x6c7f0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States
RT_ICON	0x6d178	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States
RT_DIALOG	0x6d5e0	0x100	data	English	United States
RT_DIALOG	0x6d6e0	0x11c	data	English	United States
RT_DIALOG	0x6d800	0x60	data	English	United States
RT_GROUP_ICON	0x6d860	0x84	data	English	United States
RT_VERSION	0x6d8e8	0x234	data	English	United States
RT_MANIFEST	0x6db20	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.545.132.106.374971264452816766 02/06/23-14:12:55.395066	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49712	6445	192.168.2.5	45.132.106.37
45.132.106.37192.168.2.56445497312841753 02/06/23-14:13:52.517965	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	6445	49731	45.132.106.37	192.168.2.5
192.168.2.545.132.106.374970964452816766 02/06/23-14:12:39.702248	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49709	6445	192.168.2.5	45.132.106.37
45.132.106.37192.168.2.56445497072841753 02/06/23-14:12:33.506820	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	6445	49707	45.132.106.37	192.168.2.5
192.168.2.545.132.106.374973564452816766 02/06/23-14:14:08.694757	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49735	6445	192.168.2.5	45.132.106.37
45.132.106.37192.168.2.56445497202841753 02/06/23-14:13:12.771040	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	6445	49720	45.132.106.37	192.168.2.5
192.168.2.545.132.106.374972964452816766 02/06/23-14:13:42.328059	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49729	6445	192.168.2.5	45.132.106.37
192.168.2.545.132.106.374970264452816766 02/06/23-14:12:20.468192	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49702	6445	192.168.2.5	45.132.106.37
45.132.106.37192.168.2.56445497252841753 02/06/23-14:13:29.137140	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	6445	49725	45.132.106.37	192.168.2.5
192.168.2.545.132.106.374971164452823337 02/06/23-14:12:50.979729	TCP	2823337	ETPRO TROJAN Nanocore Checkin Pattern	49711	6445	192.168.2.5	45.132.106.37
45.132.106.37192.168.2.56445497202810451 02/06/23-14:13:12.771040	TCP	2810451	ETPRO TROJAN NanoCore RAT Keepalive Response 3	6445	49720	45.132.106.37	192.168.2.5
45.132.106.37192.168.2.56445497332841753 02/06/23-14:13:57.153095	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	6445	49733	45.132.106.37	192.168.2.5
45.132.106.37192.168.2.56445497352841753 02/06/23-14:14:08.617792	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	6445	49735	45.132.106.37	192.168.2.5
45.132.106.37192.168.2.56445497362841753 02/06/23-14:14:13.470154	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	6445	49736	45.132.106.37	192.168.2.5
192.168.2.545.132.106.374972264452816766 02/06/23-14:13:18.836838	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49722	6445	192.168.2.5	45.132.106.37
192.168.2.545.132.106.374971664452816766 02/06/23-14:12:59.871071	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49716	6445	192.168.2.5	45.132.106.37
192.168.2.545.132.106.374970364452816766 02/06/23-14:12:29.256960	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49703	6445	192.168.2.5	45.132.106.37
192.168.2.545.132.106.374972664452816766 02/06/23-14:13:33.513858	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49726	6445	192.168.2.5	45.132.106.37
45.132.106.37192.168.2.56445497272841753 02/06/23-14:13:37.915437	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	6445	49727	45.132.106.37	192.168.2.5
45.132.106.37192.168.2.56445497292841753 02/06/23-14:13:42.158315	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	6445	49729	45.132.106.37	192.168.2.5
45.132.106.37192.168.2.56445497022841753 02/06/23-14:12:20.379177	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	6445	49702	45.132.106.37	192.168.2.5
45.132.106.37192.168.2.56445497262841753 02/06/23-14:13:33.469565	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	6445	49726	45.132.106.37	192.168.2.5
192.168.2.545.132.106.374973364452816766 02/06/23-14:13:57.290193	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49733	6445	192.168.2.5	45.132.106.37
45.132.106.37192.168.2.56445497012841753 02/06/23-14:12:15.717836	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	6445	49701	45.132.106.37	192.168.2.5
192.168.2.545.132.106.374970764452816766 02/06/23-14:12:33.686837	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49707	6445	192.168.2.5	45.132.106.37
45.132.106.37192.168.2.56445497122841753 02/06/23-14:12:55.336364	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	6445	49712	45.132.106.37	192.168.2.5
45.132.106.37192.168.2.56445497162841753 02/06/23-14:12:59.766454	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	6445	49716	45.132.106.37	192.168.2.5
45.132.106.37192.168.2.56445497192841753 02/06/23-14:13:08.445515	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	6445	49719	45.132.106.37	192.168.2.5
192.168.2.545.132.106.374972364452816766 02/06/23-14:13:24.891407	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49723	6445	192.168.2.5	45.132.106.37
45.132.106.37192.168.2.56445497172841753 02/06/23-14:13:04.143032	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	6445	49717	45.132.106.37	192.168.2.5
45.132.106.37192.168.2.56445497112841753 02/06/23-14:12:50.916490	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	6445	49711	45.132.106.37	192.168.2.5
192.168.2.545.132.106.374971764452816766 02/06/23-14:13:04.199805	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49717	6445	192.168.2.5	45.132.106.37
192.168.2.545.132.106.374972764452816766 02/06/23-14:13:37.920388	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49727	6445	192.168.2.5	45.132.106.37
192.168.2.545.132.106.374973064452816766 02/06/23-14:13:48.218570	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49730	6445	192.168.2.5	45.132.106.37
192.168.2.545.132.106.374972264452816718 02/06/23-14:13:18.233724	TCP	2816718	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon	49722	6445	192.168.2.5	45.132.106.37
192.168.2.545.132.106.374973464452816766 02/06/23-14:14:04.014579	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49734	6445	192.168.2.5	45.132.106.37
192.168.2.545.132.106.374971064452816766 02/06/23-14:12:46.639827	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49710	6445	192.168.2.5	45.132.106.37
192.168.2.545.132.106.374972064452816766 02/06/23-14:13:12.842490	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49720	6445	192.168.2.5	45.132.106.37
192.168.2.545.132.106.374971164452816766 02/06/23-14:12:50.979729	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49711	6445	192.168.2.5	45.132.106.37
192.168.2.545.132.106.374973164452816766 02/06/23-14:13:52.687469	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49731	6445	192.168.2.5	45.132.106.37
192.168.2.545.132.106.374970164452816766 02/06/23-14:12:15.779461	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49701	6445	192.168.2.5	45.132.106.37
192.168.2.545.132.106.374972564452816766 02/06/23-14:13:29.249183	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49725	6445	192.168.2.5	45.132.106.37
45.132.106.37192.168.2.56445497092810290 02/06/23-14:12:38.309927	TCP	2810290	ETPRO TROJAN NanoCore RAT Keepalive Response 1	6445	49709	45.132.106.37	192.168.2.5
192.168.2.545.132.106.374971964452816766 02/06/23-14:13:08.627802	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49719	6445	192.168.2.5	45.132.106.37
192.168.2.545.132.106.374970364452816718 02/06/23-14:12:27.309652	TCP	2816718	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon	49703	6445	192.168.2.5	45.132.106.37

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 6, 2023 14:12:15.550626040 CET	49701	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:15.580632925 CET	6445	49701	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:15.580776930 CET	49701	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:15.631295919 CET	49701	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:15.676197052 CET	6445	49701	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:15.687864065 CET	49701	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:15.717835903 CET	6445	49701	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:15.718019962 CET	49701	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:15.747594118 CET	6445	49701	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:15.779460907 CET	49701	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:15.858882904 CET	6445	49701	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:15.863033056 CET	49701	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:15.943516970 CET	49701	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:15.952651978 CET	6445	49701	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:15.953249931 CET	49701	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:20.210206985 CET	49702	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:20.239721060 CET	6445	49702	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:20.239864111 CET	49702	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:20.258255005 CET	49702	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:20.316607952 CET	6445	49702	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:20.316914082 CET	49702	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:20.349812031 CET	6445	49702	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:20.349951982 CET	49702	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:20.379177094 CET	6445	49702	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:20.379296064 CET	49702	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:20.468054056 CET	6445	49702	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:20.468192101 CET	49702	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:20.501760006 CET	6445	49702	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:20.501795053 CET	6445	49702	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:20.501815081 CET	6445	49702	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:20.501837015 CET	6445	49702	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:20.501878977 CET	49702	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:20.501914978 CET	49702	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:20.526129007 CET	49702	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:20.530669928 CET	6445	49702	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:20.530744076 CET	6445	49702	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:20.530775070 CET	6445	49702	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:20.530891895 CET	49702	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:20.531017065 CET	6445	49702	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:20.531049013 CET	6445	49702	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:20.531078100 CET	6445	49702	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:20.531106949 CET	6445	49702	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:20.531137943 CET	6445	49702	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:20.531161070 CET	49702	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:20.531184912 CET	49702	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:26.676229000 CET	49703	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:26.714061975 CET	6445	49703	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:26.714267015 CET	49703	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:26.753952026 CET	49703	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:26.827461004 CET	6445	49703	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:26.827663898 CET	49703	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:26.921391964 CET	6445	49703	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:26.921576023 CET	49703	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:26.950916052 CET	6445	49703	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:26.962414026 CET	49703	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:27.046224117 CET	6445	49703	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:27.046386003 CET	49703	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:27.076018095 CET	6445	49703	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:27.076051950 CET	6445	49703	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:27.076072931 CET	6445	49703	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:27.076097965 CET	6445	49703	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:27.076158047 CET	49703	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:27.076158047 CET	49703	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:27.086903095 CET	49703	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:27.105926991 CET	6445	49703	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:27.106000900 CET	6445	49703	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:27.106045961 CET	6445	49703	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:27.106076956 CET	49703	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:27.106089115 CET	6445	49703	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:27.106117964 CET	49703	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:27.106117964 CET	49703	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:27.106132984 CET	6445	49703	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:27.106154919 CET	49703	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:27.106177092 CET	6445	49703	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:27.106189013 CET	49703	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:27.106220961 CET	6445	49703	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:27.106235981 CET	49703	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:27.106266022 CET	6445	49703	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:27.106276989 CET	49703	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:27.106332064 CET	49703	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:27.135333061 CET	6445	49703	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:27.135390043 CET	6445	49703	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:27.135423899 CET	6445	49703	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:27.135458946 CET	6445	49703	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:27.135481119 CET	49703	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:27.135489941 CET	6445	49703	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:27.135513067 CET	49703	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:27.135521889 CET	6445	49703	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:27.135560989 CET	6445	49703	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:27.135591030 CET	6445	49703	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:27.135591984 CET	49703	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:27.135613918 CET	6445	49703	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:27.135637045 CET	6445	49703	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:27.135668039 CET	6445	49703	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:27.135680914 CET	49703	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:27.135699034 CET	6445	49703	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:27.135731936 CET	6445	49703	45.132.106.37	192.168.2.5
Feb 6, 2023 14:12:27.135735035 CET	49703	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:27.135747910 CET	49703	6445	192.168.2.5	45.132.106.37
Feb 6, 2023 14:12:27.135765076 CET	6445	49703	45.132.106.37	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 6, 2023 14:12:15.426714897 CET	61893	53	192.168.2.5	8.8.8.8
Feb 6, 2023 14:12:15.533972979 CET	53	61893	8.8.8.8	192.168.2.5
Feb 6, 2023 14:12:20.100056887 CET	60649	53	192.168.2.5	8.8.8.8
Feb 6, 2023 14:12:20.208462000 CET	53	60649	8.8.8.8	192.168.2.5
Feb 6, 2023 14:12:24.860294104 CET	51441	53	192.168.2.5	8.8.8.8
Feb 6, 2023 14:12:24.969638109 CET	53	51441	8.8.8.8	192.168.2.5
Feb 6, 2023 14:12:33.325907946 CET	61452	53	192.168.2.5	8.8.8.8
Feb 6, 2023 14:12:33.434902906 CET	53	61452	8.8.8.8	192.168.2.5
Feb 6, 2023 14:12:37.797481060 CET	65323	53	192.168.2.5	8.8.8.8
Feb 6, 2023 14:12:37.817137957 CET	53	65323	8.8.8.8	192.168.2.5
Feb 6, 2023 14:12:43.868993998 CET	51484	53	192.168.2.5	8.8.8.8
Feb 6, 2023 14:12:43.889022112 CET	53	51484	8.8.8.8	192.168.2.5
Feb 6, 2023 14:12:50.823187113 CET	63446	53	192.168.2.5	8.8.8.8
Feb 6, 2023 14:12:50.841149092 CET	53	63446	8.8.8.8	192.168.2.5
Feb 6, 2023 14:12:55.152124882 CET	56751	53	192.168.2.5	8.8.8.8
Feb 6, 2023 14:12:55.259871006 CET	53	56751	8.8.8.8	192.168.2.5
Feb 6, 2023 14:12:59.525441885 CET	55068	53	192.168.2.5	8.8.8.8
Feb 6, 2023 14:12:59.635647058 CET	53	55068	8.8.8.8	192.168.2.5
Feb 6, 2023 14:13:04.046624899 CET	56682	53	192.168.2.5	8.8.8.8
Feb 6, 2023 14:13:04.065140009 CET	53	56682	8.8.8.8	192.168.2.5
Feb 6, 2023 14:13:08.351641893 CET	62659	53	192.168.2.5	8.8.8.8
Feb 6, 2023 14:13:08.369720936 CET	53	62659	8.8.8.8	192.168.2.5
Feb 6, 2023 14:13:12.673418999 CET	58581	53	192.168.2.5	8.8.8.8
Feb 6, 2023 14:13:12.691442966 CET	53	58581	8.8.8.8	192.168.2.5
Feb 6, 2023 14:13:17.034033060 CET	65513	53	192.168.2.5	8.8.8.8
Feb 6, 2023 14:13:17.052063942 CET	53	65513	8.8.8.8	192.168.2.5
Feb 6, 2023 14:13:22.955478907 CET	56687	53	192.168.2.5	8.8.8.8
Feb 6, 2023 14:13:23.066755056 CET	53	56687	8.8.8.8	192.168.2.5
Feb 6, 2023 14:13:29.044564962 CET	52688	53	192.168.2.5	8.8.8.8
Feb 6, 2023 14:13:29.064649105 CET	53	52688	8.8.8.8	192.168.2.5
Feb 6, 2023 14:13:33.371251106 CET	61344	53	192.168.2.5	8.8.8.8
Feb 6, 2023 14:13:33.389108896 CET	53	61344	8.8.8.8	192.168.2.5
Feb 6, 2023 14:13:37.719351053 CET	53972	53	192.168.2.5	8.8.8.8
Feb 6, 2023 14:13:37.826854944 CET	53	53972	8.8.8.8	192.168.2.5
Feb 6, 2023 14:13:42.069423914 CET	58472	53	192.168.2.5	8.8.8.8
Feb 6, 2023 14:13:42.087323904 CET	53	58472	8.8.8.8	192.168.2.5
Feb 6, 2023 14:13:46.482965946 CET	60177	53	192.168.2.5	8.8.8.8
Feb 6, 2023 14:13:46.501174927 CET	53	60177	8.8.8.8	192.168.2.5
Feb 6, 2023 14:13:52.392618895 CET	60284	53	192.168.2.5	8.8.8.8
Feb 6, 2023 14:13:52.412906885 CET	53	60284	8.8.8.8	192.168.2.5
Feb 6, 2023 14:13:56.955427885 CET	50902	53	192.168.2.5	8.8.8.8
Feb 6, 2023 14:13:57.066534042 CET	53	50902	8.8.8.8	192.168.2.5
Feb 6, 2023 14:14:01.363904953 CET	53823	53	192.168.2.5	8.8.8.8
Feb 6, 2023 14:14:01.702450037 CET	53	53823	8.8.8.8	192.168.2.5
Feb 6, 2023 14:14:08.415575981 CET	49769	53	192.168.2.5	8.8.8.8
Feb 6, 2023 14:14:08.523582935 CET	53	49769	8.8.8.8	192.168.2.5
Feb 6, 2023 14:14:13.383150101 CET	49579	53	192.168.2.5	8.8.8.8
Feb 6, 2023 14:14:13.401088953 CET	53	49579	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 6, 2023 14:12:15.426714897 CET	192.168.2.5	8.8.8.8	0x65bc	Standard query (0)	alertt.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:12:20.100056887 CET	192.168.2.5	8.8.8.8	0xff1	Standard query (0)	alertt.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:12:24.860294104 CET	192.168.2.5	8.8.8.8	0x37d5	Standard query (0)	alertt.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:12:33.325907946 CET	192.168.2.5	8.8.8.8	0x815	Standard query (0)	alertt.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:12:37.797481060 CET	192.168.2.5	8.8.8.8	0xc389	Standard query (0)	alertt.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:12:43.868993998 CET	192.168.2.5	8.8.8.8	0x1b3f	Standard query (0)	alertt.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:12:50.823187113 CET	192.168.2.5	8.8.8.8	0xf6f0	Standard query (0)	alertt.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:12:55.152124882 CET	192.168.2.5	8.8.8.8	0xc366	Standard query (0)	alertt.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:12:59.525441885 CET	192.168.2.5	8.8.8.8	0x24a0	Standard query (0)	alertt.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:13:04.046624899 CET	192.168.2.5	8.8.8.8	0x8593	Standard query (0)	alertt.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:13:08.351641893 CET	192.168.2.5	8.8.8.8	0x44d3	Standard query (0)	alertt.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:13:12.673418999 CET	192.168.2.5	8.8.8.8	0x4bc6	Standard query (0)	alertt.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:13:17.034033060 CET	192.168.2.5	8.8.8.8	0x77f3	Standard query (0)	alertt.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:13:22.955478907 CET	192.168.2.5	8.8.8.8	0xd47b	Standard query (0)	alertt.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:13:29.044564962 CET	192.168.2.5	8.8.8.8	0x4e86	Standard query (0)	alertt.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:13:33.371251106 CET	192.168.2.5	8.8.8.8	0xde45	Standard query (0)	alertt.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:13:37.719351053 CET	192.168.2.5	8.8.8.8	0xadce	Standard query (0)	alertt.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:13:42.069423914 CET	192.168.2.5	8.8.8.8	0xee19	Standard query (0)	alertt.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:13:46.482965946 CET	192.168.2.5	8.8.8.8	0x1898	Standard query (0)	alertt.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:13:52.392618895 CET	192.168.2.5	8.8.8.8	0x665c	Standard query (0)	alertt.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:13:56.955427885 CET	192.168.2.5	8.8.8.8	0xc871	Standard query (0)	alertt.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:14:01.363904953 CET	192.168.2.5	8.8.8.8	0x26a	Standard query (0)	alertt.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:14:08.415575981 CET	192.168.2.5	8.8.8.8	0xd10c	Standard query (0)	alertt.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:14:13.383150101 CET	192.168.2.5	8.8.8.8	0xa53f	Standard query (0)	alertt.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Feb 6, 2023 14:12:15.533972979 CET	8.8.8.8	192.168.2.5	0x65bc	No error (0)	alertt.duckdns.org	45.132.106.37	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:12:20.208462000 CET	8.8.8.8	192.168.2.5	0xff1	No error (0)	alertt.duckdns.org	45.132.106.37	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:12:24.969638109 CET	8.8.8.8	192.168.2.5	0x37d5	No error (0)	alertt.duckdns.org	45.132.106.37	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:12:33.434902906 CET	8.8.8.8	192.168.2.5	0x815	No error (0)	alertt.duckdns.org	45.132.106.37	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:12:37.817137957 CET	8.8.8.8	192.168.2.5	0xc389	No error (0)	alertt.duckdns.org	45.132.106.37	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:12:43.889022112 CET	8.8.8.8	192.168.2.5	0x1b3f	No error (0)	alertt.duckdns.org	45.132.106.37	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:12:50.841149092 CET	8.8.8.8	192.168.2.5	0xf6f0	No error (0)	alertt.duckdns.org	45.132.106.37	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:12:55.259871006 CET	8.8.8.8	192.168.2.5	0xc366	No error (0)	alertt.duckdns.org	45.132.106.37	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:12:59.635647058 CET	8.8.8.8	192.168.2.5	0x24a0	No error (0)	alertt.duckdns.org	45.132.106.37	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:13:04.065140009 CET	8.8.8.8	192.168.2.5	0x8593	No error (0)	alertt.duckdns.org	45.132.106.37	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:13:08.369720936 CET	8.8.8.8	192.168.2.5	0x44d3	No error (0)	alertt.duckdns.org	45.132.106.37	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:13:12.691442966 CET	8.8.8.8	192.168.2.5	0x4bc6	No error (0)	alertt.duckdns.org	45.132.106.37	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:13:17.052063942 CET	8.8.8.8	192.168.2.5	0x77f3	No error (0)	alertt.duckdns.org	45.132.106.37	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:13:23.066755056 CET	8.8.8.8	192.168.2.5	0xd47b	No error (0)	alertt.duckdns.org	45.132.106.37	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:13:29.064649105 CET	8.8.8.8	192.168.2.5	0x4e86	No error (0)	alertt.duckdns.org	45.132.106.37	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:13:33.389108896 CET	8.8.8.8	192.168.2.5	0xde45	No error (0)	alertt.duckdns.org	45.132.106.37	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:13:37.826854944 CET	8.8.8.8	192.168.2.5	0xadce	No error (0)	alertt.duckdns.org	45.132.106.37	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:13:42.087323904 CET	8.8.8.8	192.168.2.5	0xee19	No error (0)	alertt.duckdns.org	45.132.106.37	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:13:46.501174927 CET	8.8.8.8	192.168.2.5	0x1898	No error (0)	alertt.duckdns.org	45.132.106.37	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:13:52.412906885 CET	8.8.8.8	192.168.2.5	0x665c	No error (0)	alertt.duckdns.org	45.132.106.37	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:13:57.066534042 CET	8.8.8.8	192.168.2.5	0xc871	No error (0)	alertt.duckdns.org	45.132.106.37	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:14:01.702450037 CET	8.8.8.8	192.168.2.5	0x26a	No error (0)	alertt.duckdns.org	45.132.106.37	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:14:08.523582935 CET	8.8.8.8	192.168.2.5	0xd10c	No error (0)	alertt.duckdns.org	45.132.106.37	A (IP address)	IN (0x0001)	false
Feb 6, 2023 14:14:13.401088953 CET	8.8.8.8	192.168.2.5	0xa53f	No error (0)	alertt.duckdns.org	45.132.106.37	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	14:12:08
Start date:	06/02/2023
Path:	C:\Users\user\Desktop\lb64Iy4W4e.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\lb64Iy4W4e.exe
Imagebase:	0x400000
File size:	663392 bytes
MD5 hash:	4C7DF43E37814754AD1C8A97AB971AF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: tohjyweui.exePID: 5884, Parent PID: 4332

General

Target ID:	1
Start time:	14:12:08
Start date:	06/02/2023
Path:	C:\Users\user\AppData\Local\Temp\tohjyweui.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\tohjyweui.exe" C:\Users\user\AppData\Local\Temp\fwbfw.c
Imagebase:	0x9b0000
File size:	370176 bytes
MD5 hash:	64517EEC55E1F3C392B63B73D833E5F9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: NanoCore, Description: unknown, Source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 23%, ReversingLabs Detection: 29%, Virustotal, Browse
Reputation:	low

Analysis Process: tohjyweui.exePID: 4560, Parent PID: 5884

General

Target ID:	2
Start time:	14:12:10
Start date:	06/02/2023
Path:	C:\Users\user\AppData\Local\Temp\tohjyweui.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\tohjyweui.exe
Imagebase:	0x9b0000
File size:	370176 bytes
MD5 hash:	64517EEC55E1F3C392B63B73D833E5F9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Analysis Process: tpyienirbwgp.exePID: 5716, Parent PID: 3324

General

Target ID:	3
Start time:	14:12:21
Start date:	06/02/2023
Path:	C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe" "C:\Users\user\AppData\Local\Temp\tohjyweui.exe" C:\Users\user\A
Imagebase:	0x990000
File size:	370176 bytes
MD5 hash:	64517EEC55E1F3C392B63B73D833E5F9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 23%, ReversingLabs
Reputation:	low

Analysis Process: WerFault.exePID: 5420, Parent PID: 5716

General

Target ID:	6
Start time:	14:12:26
Start date:	06/02/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 632
Imagebase:	0x890000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: tpyienirbwgp.exePID: 5408, Parent PID: 3324

General

Target ID:	7
Start time:	14:12:30
Start date:	06/02/2023
Path:	C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe" "C:\Users\user\AppData\Local\Temp\tohjyweui.exe" C:\Users\user\A
Imagebase:	0x990000
File size:	370176 bytes
MD5 hash:	64517EEC55E1F3C392B63B73D833E5F9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: WerFault.exePID: 4032, Parent PID: 5408

General

Target ID:	9
Start time:	14:12:31
Start date:	06/02/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5408 -s 604
Imagebase:	0x890000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report lb64Iy4W4e.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

Stealing of Sensitive Information

Remote Access Functionality

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_tpyienirbwgp.exe_491668454d7886d02c78a9f3324eec6e9b560bc_bb377917_0f868df3\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_tpyienirbwgp.exe_491668454d7886d02c78a9f3324eec6e9b560bc_bb377917_156a7e34\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7318.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER756B.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER75D9.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER82C8.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER84BD.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER84EC.tmp.xml

C:\Users\user\AppData\Local\Temp\fwbfw.c

Windows Analysis Report
lb64Iy4W4e.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre