Loading ...

Play interactive tourEdit tour

Analysis Report TNT AWB TRACKING DETAILS.exe

Overview

General Information

Sample Name:TNT AWB TRACKING DETAILS.exe
Analysis ID:298669
MD5:0378b8ceb6d142ca2fc14b0dbc7b7b37
SHA1:690c8874f3ee0abac4fc9ab329c283d44e8d13ce
SHA256:b8ad7398bf812d51b21f9ec51b8ffba7d3830dac0a949f09acea087066f4368b
Tags:exeNanoCorenVpnRATTNT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains very large strings
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query CPU information (cpuid)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • TNT AWB TRACKING DETAILS.exe (PID: 4616 cmdline: 'C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe' MD5: 0378B8CEB6D142CA2FC14B0DBC7B7B37)
    • TNT AWB TRACKING DETAILS.exe (PID: 6392 cmdline: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe MD5: 0378B8CEB6D142CA2FC14B0DBC7B7B37)
      • schtasks.exe (PID: 6460 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp11E5.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6516 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp14D4.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • TNT AWB TRACKING DETAILS.exe (PID: 6532 cmdline: 'C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe' 0 MD5: 0378B8CEB6D142CA2FC14B0DBC7B7B37)
  • dhcpmon.exe (PID: 6656 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 0378B8CEB6D142CA2FC14B0DBC7B7B37)
    • dhcpmon.exe (PID: 7052 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 0378B8CEB6D142CA2FC14B0DBC7B7B37)
  • dhcpmon.exe (PID: 6820 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 0378B8CEB6D142CA2FC14B0DBC7B7B37)
    • dhcpmon.exe (PID: 7104 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 0378B8CEB6D142CA2FC14B0DBC7B7B37)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["129.205.124.140"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.500885264.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000F.00000002.500885264.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000F.00000002.500885264.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000017.00000003.413855031.0000000004206000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x22b2d:$x1: NanoCore.ClientPluginHost
    • 0x22b6a:$x2: IClientNetworkHost
    • 0x2669d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000017.00000003.413855031.0000000004206000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 75 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      15.2.TNT AWB TRACKING DETAILS.exe.6b00000.6.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xd9ad:$x1: NanoCore.ClientPluginHost
      • 0xd9da:$x2: IClientNetworkHost
      15.2.TNT AWB TRACKING DETAILS.exe.6b00000.6.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xd9ad:$x2: NanoCore.ClientPluginHost
      • 0xea88:$s4: PipeCreated
      • 0xd9c7:$s5: IClientLoggingHost
      15.2.TNT AWB TRACKING DETAILS.exe.6b00000.6.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        24.2.TNT AWB TRACKING DETAILS.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        24.2.TNT AWB TRACKING DETAILS.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xff05:$x1: NanoCore Client.exe
        • 0x1018d:$x2: NanoCore.ClientPluginHost
        • 0x117c6:$s1: PluginCommand
        • 0x117ba:$s2: FileCommand
        • 0x1266b:$s3: PipeExists
        • 0x18422:$s4: PipeCreated
        • 0x101b7:$s5: IClientLoggingHost
        Click to see the 19 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe, ProcessId: 6392, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp11E5.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp11E5.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe, ParentImage: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe, ParentProcessId: 6392, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp11E5.tmp', ProcessId: 6460

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: TNT AWB TRACKING DETAILS.exeAvira: detected
        Antivirus detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeAvira: detection malicious, Label: TR/AD.Nanocore.eiaqq
        Found malware configurationShow sources
        Source: TNT AWB TRACKING DETAILS.exe.6392.15.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["129.205.124.140"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 28%Perma Link
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 22%
        Multi AV Scanner detection for submitted fileShow sources
        Source: TNT AWB TRACKING DETAILS.exeVirustotal: Detection: 28%Perma Link
        Source: TNT AWB TRACKING DETAILS.exeReversingLabs: Detection: 22%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000F.00000002.500885264.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000003.413855031.0000000004206000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.416582812.00000000040F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.395003736.0000000003AB1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.407923691.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000003.397475657.0000000004586000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.419308358.0000000004091000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.310044771.0000000004036000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.416254252.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.409008901.0000000003B29000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.402174332.0000000004411000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001A.00000002.435056526.0000000004149000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.509105652.0000000006B00000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.506540129.0000000004368000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.408906151.0000000002B21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001A.00000002.434053801.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.503228633.0000000003331000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.391037368.0000000003C26000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.313496236.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001A.00000002.434990248.0000000003141000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.414509500.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: TNT AWB TRACKING DETAILS.exe PID: 6392, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6820, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: TNT AWB TRACKING DETAILS.exe PID: 6532, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: TNT AWB TRACKING DETAILS.exe PID: 7004, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6656, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7052, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7104, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: TNT AWB TRACKING DETAILS.exe PID: 4616, type: MEMORY
        Source: Yara matchFile source: 15.2.TNT AWB TRACKING DETAILS.exe.6b00000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.TNT AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.TNT AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.TNT AWB TRACKING DETAILS.exe.6b00000.6.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: TNT AWB TRACKING DETAILS.exeJoe Sandbox ML: detected
        Source: 24.2.TNT AWB TRACKING DETAILS.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 26.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 25.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 15.2.TNT AWB TRACKING DETAILS.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

        Networking:

        barindex
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: chinomso.duckdns.org
        Source: global trafficTCP traffic: 192.168.2.5:49731 -> 129.205.124.140:7688
        Source: Joe Sandbox ViewASN Name: globacom-asNG globacom-asNG
        Source: unknownDNS traffic detected: queries for: chinomso.duckdns.org
        Source: TNT AWB TRACKING DETAILS.exe, 0000000F.00000002.509105652.0000000006B00000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000F.00000002.500885264.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000003.413855031.0000000004206000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.416582812.00000000040F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.395003736.0000000003AB1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.407923691.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000003.397475657.0000000004586000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.419308358.0000000004091000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.310044771.0000000004036000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.416254252.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.409008901.0000000003B29000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.402174332.0000000004411000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001A.00000002.435056526.0000000004149000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.509105652.0000000006B00000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.506540129.0000000004368000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.408906151.0000000002B21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001A.00000002.434053801.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.503228633.0000000003331000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.391037368.0000000003C26000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.313496236.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001A.00000002.434990248.0000000003141000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.414509500.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: TNT AWB TRACKING DETAILS.exe PID: 6392, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6820, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: TNT AWB TRACKING DETAILS.exe PID: 6532, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: TNT AWB TRACKING DETAILS.exe PID: 7004, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6656, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7052, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7104, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: TNT AWB TRACKING DETAILS.exe PID: 4616, type: MEMORY
        Source: Yara matchFile source: 15.2.TNT AWB TRACKING DETAILS.exe.6b00000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.TNT AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.TNT AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.TNT AWB TRACKING DETAILS.exe.6b00000.6.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 0000000F.00000002.500885264.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000002.500885264.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000017.00000003.413855031.0000000004206000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000017.00000003.413855031.0000000004206000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000019.00000002.416582812.00000000040F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000014.00000002.395003736.0000000003AB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000014.00000002.395003736.0000000003AB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000018.00000002.407923691.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000018.00000002.407923691.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000015.00000003.397475657.0000000004586000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000015.00000003.397475657.0000000004586000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000002.508642366.0000000005D00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000017.00000002.419308358.0000000004091000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000017.00000002.419308358.0000000004091000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.310044771.0000000004036000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.310044771.0000000004036000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000019.00000002.416254252.00000000030F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000018.00000002.409008901.0000000003B29000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000015.00000002.402174332.0000000004411000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000015.00000002.402174332.0000000004411000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001A.00000002.435056526.0000000004149000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000002.509105652.0000000006B00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000002.506540129.0000000004368000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000018.00000002.408906151.0000000002B21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001A.00000002.434053801.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001A.00000002.434053801.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000014.00000003.391037368.0000000003C26000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000014.00000003.391037368.0000000003C26000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.313496236.0000000003EC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.313496236.0000000003EC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001A.00000002.434990248.0000000003141000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000019.00000002.414509500.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000019.00000002.414509500.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: TNT AWB TRACKING DETAILS.exe PID: 6392, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: TNT AWB TRACKING DETAILS.exe PID: 6392, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6820, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6820, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: TNT AWB TRACKING DETAILS.exe PID: 6532, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: TNT AWB TRACKING DETAILS.exe PID: 6532, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: TNT AWB TRACKING DETAILS.exe PID: 7004, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: TNT AWB TRACKING DETAILS.exe PID: 7004, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6656, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6656, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 7052, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 7052, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 7104, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 7104, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: TNT AWB TRACKING DETAILS.exe PID: 4616, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: TNT AWB TRACKING DETAILS.exe PID: 4616, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.TNT AWB TRACKING DETAILS.exe.6b00000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 24.2.TNT AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 24.2.TNT AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 25.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 25.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 26.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.TNT AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.TNT AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.TNT AWB TRACKING DETAILS.exe.5d00000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.TNT AWB TRACKING DETAILS.exe.6b00000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        .NET source code contains very large stringsShow sources
        Source: TNT AWB TRACKING DETAILS.exe, JNskLZgmmW2syBrkla/OBvedtrL46kbyDLhZa.csLong String: Length: 487424
        Source: 12.2.TNT AWB TRACKING DETAILS.exe.120000.0.unpack, JNskLZgmmW2syBrkla/OBvedtrL46kbyDLhZa.csLong String: Length: 487424
        Source: 12.0.TNT AWB TRACKING DETAILS.exe.120000.0.unpack, JNskLZgmmW2syBrkla/OBvedtrL46kbyDLhZa.csLong String: Length: 487424
        Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 15_2_019CE48015_2_019CE480
        Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 15_2_019CE47115_2_019CE471
        Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 15_2_019CBBD415_2_019CBBD4
        Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 15_2_0596F5F815_2_0596F5F8
        Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 15_2_0596978815_2_05969788
        Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 15_2_0596A58015_2_0596A580
        Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 15_2_0596A61B15_2_0596A61B
        Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 15_2_06D9004015_2_06D90040
        Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 20_2_00F6055020_2_00F60550
        Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 20_2_00F61DC020_2_00F61DC0
        Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 20_2_00F61DA820_2_00F61DA8
        Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 20_2_00F61D7520_2_00F61D75
        Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 20_2_00F61D4420_2_00F61D44
        Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 20_2_00F61D2F20_2_00F61D2F
        Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 20_2_00F61A8020_2_00F61A80
        Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 20_2_00F65E8020_2_00F65E80
        Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 20_2_00F61A5220_2_00F61A52
        Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 20_2_00F65E5220_2_00F65E52
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_0180054021_2_01800540
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_01801DA821_2_01801DA8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_01801DC021_2_01801DC0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_01801D2F21_2_01801D2F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_01801D4421_2_01801D44
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_01801D7521_2_01801D75
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_01801A8021_2_01801A80
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_01805E8021_2_01805E80
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_018046CC21_2_018046CC
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_01805E5221_2_01805E52
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_01801A7221_2_01801A72
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_01461A5123_2_01461A51
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_01465E5823_2_01465E58
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_01461A8023_2_01461A80
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_01465E8023_2_01465E80
        Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 24_2_0506E47124_2_0506E471
        Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 24_2_0506E48024_2_0506E480
        Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 24_2_0506BBD424_2_0506BBD4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_02FBE48025_2_02FBE480
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_02FBE47125_2_02FBE471
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_02FBBBD425_2_02FBBBD4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_0570F5F825_2_0570F5F8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_0570978825_2_05709788
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_0570A61025_2_0570A610
        Source: TNT AWB TRACKING DETAILS.exe, 00000000.00000000.235137823.0000000000B28000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLime_chinomso(1).exe4 vs TNT AWB TRACKING DETAILS.exe
        Source: TNT AWB TRACKING DETAILS.exe, 00000000.00000002.311087021.0000000001590000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary3.dll< vs TNT AWB TRACKING DETAILS.exe
        Source: TNT AWB TRACKING DETAILS.exe, 00000000.00000002.315181208.00000000054A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDotkhd.dll4 vs TNT AWB TRACKING DETAILS.exe
        Source: TNT AWB TRACKING DETAILS.exe, 0000000C.00000000.306759926.0000000000248000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLime_chinomso(1).exe4 vs TNT AWB TRACKING DETAILS.exe
        Source: TNT AWB TRACKING DETAILS.exe, 0000000D.00000002.308386238.00000000002D8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLime_chinomso(1).exe4 vs TNT AWB TRACKING DETAILS.exe
        Source: TNT AWB TRACKING DETAILS.exe, 0000000F.00000000.309409146.0000000001098000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLime_chinomso(1).exe4 vs TNT AWB TRACKING DETAILS.exe
        Source: TNT AWB TRACKING DETAILS.exe, 0000000F.00000002.508994994.0000000006A10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs TNT AWB TRACKING DETAILS.exe
        Source: TNT AWB TRACKING DETAILS.exe, 0000000F.00000002.509587146.00000000074E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs TNT AWB TRACKING DETAILS.exe
        Source: TNT AWB TRACKING DETAILS.exe, 0000000F.00000002.509105652.0000000006B00000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs TNT AWB TRACKING DETAILS.exe
        Source: TNT AWB TRACKING DETAILS.exe, 0000000F.00000002.509105652.0000000006B00000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs TNT AWB TRACKING DETAILS.exe
        Source: TNT AWB TRACKING DETAILS.exe, 0000000F.00000002.506540129.0000000004368000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs TNT AWB TRACKING DETAILS.exe
        Source: TNT AWB TRACKING DETAILS.exe, 00000014.00000002.395003736.0000000003AB1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDotkhd.dll4 vs TNT AWB TRACKING DETAILS.exe
        Source: TNT AWB TRACKING DETAILS.exe, 00000014.00000002.392034086.00000000011B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary3.dll< vs TNT AWB TRACKING DETAILS.exe
        Source: TNT AWB TRACKING DETAILS.exe, 00000014.00000000.318260813.0000000000718000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLime_chinomso(1).exe4 vs TNT AWB TRACKING DETAILS.exe
        Source: TNT AWB TRACKING DETAILS.exe, 00000018.00000000.390491177.0000000000898000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLime_chinomso(1).exe4 vs TNT AWB TRACKING DETAILS.exe
        Source: TNT AWB TRACKING DETAILS.exe, 00000018.00000002.409008901.0000000003B29000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs TNT AWB TRACKING DETAILS.exe
        Source: TNT AWB TRACKING DETAILS.exe, 00000018.00000002.409008901.0000000003B29000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs TNT AWB TRACKING DETAILS.exe
        Source: TNT AWB TRACKING DETAILS.exe, 00000018.00000002.409008901.0000000003B29000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs TNT AWB TRACKING DETAILS.exe
        Source: TNT AWB TRACKING DETAILS.exe, 00000018.00000002.408541120.0000000000EAA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs TNT AWB TRACKING DETAILS.exe
        Source: TNT AWB TRACKING DETAILS.exeBinary or memory string: OriginalFilenameLime_chinomso(1).exe4 vs TNT AWB TRACKING DETAILS.exe
        Source: 0000000F.00000002.500885264.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000002.500885264.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000017.00000003.413855031.0000000004206000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000017.00000003.413855031.0000000004206000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000019.00000002.416582812.00000000040F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000014.00000002.395003736.0000000003AB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000014.00000002.395003736.0000000003AB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000018.00000002.407923691.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000018.00000002.407923691.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000015.00000003.397475657.0000000004586000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000015.00000003.397475657.0000000004586000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000002.508642366.0000000005D00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000002.508642366.0000000005D00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000017.00000002.419308358.0000000004091000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000017.00000002.419308358.0000000004091000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.310044771.0000000004036000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.310044771.0000000004036000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000019.00000002.416254252.00000000030F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000018.00000002.409008901.0000000003B29000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000015.00000002.402174332.0000000004411000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000015.00000002.402174332.0000000004411000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001A.00000002.435056526.0000000004149000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000002.509105652.0000000006B00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000002.509105652.0000000006B00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000F.00000002.506540129.0000000004368000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000018.00000002.408906151.0000000002B21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001A.00000002.434053801.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001A.00000002.434053801.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000014.00000003.391037368.0000000003C26000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000014.00000003.391037368.0000000003C26000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.313496236.0000000003EC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.313496236.0000000003EC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001A.00000002.434990248.0000000003141000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000019.00000002.414509500.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000019.00000002.414509500.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: TNT AWB TRACKING DETAILS.exe PID: 6392, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: TNT AWB TRACKING DETAILS.exe PID: 6392, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6820, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6820, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: TNT AWB TRACKING DETAILS.exe PID: 6532, type: MEMORYMatched rule: Nanocore_RAT_