Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report nanocore.exe

Overview

General Information

Sample Name:nanocore.exe
Analysis ID:384377
MD5:08803cc817d8b1046a964af11685b15c
SHA1:8d76cc9e4e21f90aaa0d2a8e9dd88ccb03349f29
SHA256:00343ef156007c41a76abebe2b0304aacc7e2b12e0d30ea476ecf8c847a54dfc
Tags:Nanocore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Hides that the sample has been downloaded from the Internet (zone.identifier)
Maps a DLL or memory area into another process
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • nanocore.exe (PID: 7064 cmdline: 'C:\Users\user\Desktop\nanocore.exe' MD5: 08803CC817D8B1046A964AF11685B15C)
    • nanocore.exe (PID: 7104 cmdline: 'C:\Users\user\Desktop\nanocore.exe' MD5: 08803CC817D8B1046A964AF11685B15C)
      • schtasks.exe (PID: 5800 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp38C1.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5108 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3B81.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • nanocore.exe (PID: 4108 cmdline: C:\Users\user\Desktop\nanocore.exe 0 MD5: 08803CC817D8B1046A964AF11685B15C)
    • nanocore.exe (PID: 5904 cmdline: C:\Users\user\Desktop\nanocore.exe 0 MD5: 08803CC817D8B1046A964AF11685B15C)
  • dhcpmon.exe (PID: 5752 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 08803CC817D8B1046A964AF11685B15C)
    • dhcpmon.exe (PID: 6152 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 08803CC817D8B1046A964AF11685B15C)
  • dhcpmon.exe (PID: 6724 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 08803CC817D8B1046A964AF11685B15C)
    • dhcpmon.exe (PID: 6704 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 08803CC817D8B1046A964AF11685B15C)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "bee718f3-e47a-44f8-955e-2fe2c6c0", "Group": "Default", "Domain1": "chinomso.duckdns.org", "Domain2": "chinomso.duckdns.org", "Port": 7688, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "chinomso.duckdns.org", "BackupDNSServer": "chinomso.duckdns.orgAMC9Avo9uFWUE1JbxpU=", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x215e5:$x1: NanoCore.ClientPluginHost
  • 0x21622:$x2: IClientNetworkHost
  • 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x2135d:$x1: NanoCore Client.exe
  • 0x215e5:$x2: NanoCore.ClientPluginHost
  • 0x22c1e:$s1: PluginCommand
  • 0x22c12:$s2: FileCommand
  • 0x23ac3:$s3: PipeExists
  • 0x2987a:$s4: PipeCreated
  • 0x2160f:$s5: IClientLoggingHost
00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x2134d:$a: NanoCore
    • 0x2135d:$a: NanoCore
    • 0x21591:$a: NanoCore
    • 0x215a5:$a: NanoCore
    • 0x215e5:$a: NanoCore
    • 0x213ac:$b: ClientPlugin
    • 0x215ae:$b: ClientPlugin
    • 0x215ee:$b: ClientPlugin
    • 0x214d3:$c: ProjectData
    • 0x21eda:$d: DESCrypto
    • 0x298a6:$e: KeepAlive
    • 0x27894:$g: LogClientMessage
    • 0x23a8f:$i: get_Connected
    • 0x22210:$j: #=q
    • 0x22240:$j: #=q
    • 0x2225c:$j: #=q
    • 0x2228c:$j: #=q
    • 0x222a8:$j: #=q
    • 0x222c4:$j: #=q
    • 0x222f4:$j: #=q
    • 0x22310:$j: #=q
    0000000A.00000002.683529518.0000000000679000.00000004.00000020.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x2db9d:$x1: NanoCore.ClientPluginHost
    • 0x2dbda:$x2: IClientNetworkHost
    • 0x3170d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 132 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    10.1.nanocore.exe.415058.1.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe38d:$x1: NanoCore.ClientPluginHost
    • 0xe3ca:$x2: IClientNetworkHost
    • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    10.1.nanocore.exe.415058.1.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe105:$x1: NanoCore Client.exe
    • 0xe38d:$x2: NanoCore.ClientPluginHost
    • 0xf9c6:$s1: PluginCommand
    • 0xf9ba:$s2: FileCommand
    • 0x1086b:$s3: PipeExists
    • 0x16622:$s4: PipeCreated
    • 0xe3b7:$s5: IClientLoggingHost
    10.1.nanocore.exe.415058.1.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      10.1.nanocore.exe.415058.1.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xe0f5:$a: NanoCore
      • 0xe105:$a: NanoCore
      • 0xe339:$a: NanoCore
      • 0xe34d:$a: NanoCore
      • 0xe38d:$a: NanoCore
      • 0xe154:$b: ClientPlugin
      • 0xe356:$b: ClientPlugin
      • 0xe396:$b: ClientPlugin
      • 0xe27b:$c: ProjectData
      • 0xec82:$d: DESCrypto
      • 0x1664e:$e: KeepAlive
      • 0x1463c:$g: LogClientMessage
      • 0x10837:$i: get_Connected
      • 0xefb8:$j: #=q
      • 0xefe8:$j: #=q
      • 0xf004:$j: #=q
      • 0xf034:$j: #=q
      • 0xf050:$j: #=q
      • 0xf06c:$j: #=q
      • 0xf09c:$j: #=q
      • 0xf0b8:$j: #=q
      11.2.dhcpmon.exe.415058.1.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe38d:$x1: NanoCore.ClientPluginHost
      • 0xe3ca:$x2: IClientNetworkHost
      • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 352 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\nanocore.exe, ProcessId: 7104, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp38C1.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp38C1.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\nanocore.exe' , ParentImage: C:\Users\user\Desktop\nanocore.exe, ParentProcessId: 7104, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp38C1.tmp', ProcessId: 5800

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 0000000B.00000002.684555433.0000000002320000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "bee718f3-e47a-44f8-955e-2fe2c6c0", "Group": "Default", "Domain1": "chinomso.duckdns.org", "Domain2": "chinomso.duckdns.org", "Port": 7688, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "chinomso.duckdns.org", "BackupDNSServer": "chinomso.duckdns.orgAMC9Avo9uFWUE1JbxpU=", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
      Multi AV Scanner detection for domain / URLShow sources
      Source: chinomso.duckdns.orgVirustotal: Detection: 9%Perma Link
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 34%
      Source: C:\Users\user\AppData\Local\Temp\nse444B.tmp\4rmzuajr4dtt.dllReversingLabs: Detection: 24%
      Source: C:\Users\user\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dllReversingLabs: Detection: 24%
      Source: C:\Users\user\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dllReversingLabs: Detection: 24%
      Source: C:\Users\user\AppData\Local\Temp\nsq6D11.tmp\4rmzuajr4dtt.dllReversingLabs: Detection: 24%
      Multi AV Scanner detection for submitted fileShow sources
      Source: nanocore.exeVirustotal: Detection: 21%Perma Link
      Source: nanocore.exeReversingLabs: Detection: 34%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.683529518.0000000000679000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.669624228.000000001EEC0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000001.662848703.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.909694649.00000000058B0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000001.685346299.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.684499268.00000000034FC000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.703714772.00000000033F1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.691295579.000000001ED80000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.704559063.0000000004FA2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.683969306.00000000006FC000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.703774283.000000000342C000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.682558622.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.907930500.0000000004A92000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.683128059.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.686692380.0000000004922000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.671860077.000000001ED70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.702826612.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.905801654.0000000002531000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.904977643.0000000000598000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.684652674.000000000330C000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.686247080.00000000047F0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.703409413.00000000006E7000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.685817351.0000000004940000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.684426343.00000000034C1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000001.645917465.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.907047589.0000000004970000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.704356267.0000000004910000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000001.663544913.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.686102213.00000000049C2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.684614120.00000000032D1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.906581049.00000000035AC000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000003.685637337.0000000000711000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5752, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6152, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: nanocore.exe PID: 7064, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: nanocore.exe PID: 7104, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: nanocore.exe PID: 4108, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: nanocore.exe PID: 5904, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6724, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6704, type: MEMORY
      Source: Yara matchFile source: 10.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.nanocore.exe.1eed1458.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.696a10.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.33531ec.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.4920000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.nanocore.exe.1eec0000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.32d5530.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.nanocore.exe.1eec0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.4910000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.dhcpmon.exe.1ed81458.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.4910000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.nanocore.exe.1eec0000.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.4940000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.33531ec.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.33f5530.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.49c0000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.58b4629.13.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.4a90000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.4fa0000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.3.dhcpmon.exe.7130f0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.58b0000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.4970000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.34c5530.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.47f0000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.dhcpmon.exe.1ed70000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.nanocore.exe.1eed1458.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.346e3b6.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.35b7815.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.34c5530.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.dhcpmon.exe.1ed70000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.715c48.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.3477815.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.nanocore.exe.1eed1458.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.3547815.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.3357815.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.696a10.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.35b31ec.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.33f5530.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.32d5530.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.5b31b8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.3.dhcpmon.exe.7130f0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.34731ec.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.4940000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.7130f0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.4970000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.35431ec.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.nanocore.exe.1eec0000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.35b31ec.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.47f0000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.dhcpmon.exe.1ed81458.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.35ae3b6.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.nanocore.exe.1eed1458.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.35431ec.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.58b0000.12.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.1ed91458.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.1ed80000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.1ed80000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.7130f0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.353e3b6.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.34731ec.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.334e3b6.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.1ed91458.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.715c48.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.5b31b8.2.raw.unpack, type: UNPACKEDPE
      Source: 11.2.dhcpmon.exe.4920000.9.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 13.2.dhcpmon.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 10.2.nanocore.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 10.2.nanocore.exe.49c0000.9.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 2.2.nanocore.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 2.2.nanocore.exe.4a90000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 13.2.dhcpmon.exe.4fa0000.9.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 2.2.nanocore.exe.58b0000.12.unpackAvira: Label: TR/NanoCore.fadte
      Source: 2.1.nanocore.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 11.1.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 11.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 10.1.nanocore.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 13.1.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

      Compliance:

      barindex
      Detected unpacking (creates a PE file in dynamic memory)Show sources
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 11.2.dhcpmon.exe.4920000.9.unpack
      Detected unpacking (overwrites its own PE header)Show sources
      Source: C:\Users\user\Desktop\nanocore.exeUnpacked PE file: 2.2.nanocore.exe.400000.0.unpack
      Source: C:\Users\user\Desktop\nanocore.exeUnpacked PE file: 10.2.nanocore.exe.400000.0.unpack
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 11.2.dhcpmon.exe.400000.0.unpack
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 13.2.dhcpmon.exe.400000.1.unpack
      Source: nanocore.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: Binary string: wntdll.pdbUGP source: nanocore.exe, 00000001.00000003.642186988.000000001EF10000.00000004.00000001.sdmp, nanocore.exe, 00000008.00000003.662832821.000000001EF60000.00000004.00000001.sdmp, dhcpmon.exe, 00000009.00000003.662538555.000000001EE10000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000003.682182243.000000001EE20000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdb source: nanocore.exe, 00000001.00000003.642186988.000000001EF10000.00000004.00000001.sdmp, nanocore.exe, 00000008.00000003.662832821.000000001EF60000.00000004.00000001.sdmp, dhcpmon.exe, 00000009.00000003.662538555.000000001EE10000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000003.682182243.000000001EE20000.00000004.00000001.sdmp
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 1_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 1_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 1_2_004026BC FindFirstFileA,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_00404A29 FindFirstFileExW,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 8_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 8_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 8_2_004026BC FindFirstFileA,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_00404A29 FindFirstFileExW,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_1_00404A29 FindFirstFileExW,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00404A29 FindFirstFileExW,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_1_00404A29 FindFirstFileExW,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00404A29 FindFirstFileExW,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_1_00404A29 FindFirstFileExW,

      Networking:

      barindex
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: chinomso.duckdns.org
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: chinomso.duckdns.org
      Source: global trafficTCP traffic: 192.168.2.4:49740 -> 213.208.152.210:7688
      Source: Joe Sandbox ViewASN Name: NEXTLAYER-ASAT NEXTLAYER-ASAT
      Source: unknownDNS traffic detected: queries for: chinomso.duckdns.org
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 1_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,
      Source: nanocore.exe, 00000001.00000002.650327824.0000000000A4A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: nanocore.exe, 00000002.00000002.909694649.00000000058B0000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.683529518.0000000000679000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.669624228.000000001EEC0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000001.662848703.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.909694649.00000000058B0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000001.685346299.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.684499268.00000000034FC000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.703714772.00000000033F1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.691295579.000000001ED80000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.704559063.0000000004FA2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.683969306.00000000006FC000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.703774283.000000000342C000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.682558622.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.907930500.0000000004A92000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.683128059.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.686692380.0000000004922000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.671860077.000000001ED70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.702826612.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.905801654.0000000002531000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.904977643.0000000000598000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.684652674.000000000330C000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.686247080.00000000047F0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.703409413.00000000006E7000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.685817351.0000000004940000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.684426343.00000000034C1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000001.645917465.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.907047589.0000000004970000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.704356267.0000000004910000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000001.663544913.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.686102213.00000000049C2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.684614120.00000000032D1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.906581049.00000000035AC000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000003.685637337.0000000000711000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5752, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6152, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: nanocore.exe PID: 7064, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: nanocore.exe PID: 7104, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: nanocore.exe PID: 4108, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: nanocore.exe PID: 5904, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6724, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6704, type: MEMORY
      Source: Yara matchFile source: 10.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.nanocore.exe.1eed1458.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.696a10.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.33531ec.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.4920000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.nanocore.exe.1eec0000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.32d5530.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.nanocore.exe.1eec0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.4910000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.dhcpmon.exe.1ed81458.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.4910000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.nanocore.exe.1eec0000.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.4940000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.33531ec.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.33f5530.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.49c0000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.58b4629.13.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.4a90000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.4fa0000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.3.dhcpmon.exe.7130f0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.58b0000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.4970000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.34c5530.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.47f0000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.dhcpmon.exe.1ed70000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.nanocore.exe.1eed1458.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.346e3b6.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.35b7815.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.34c5530.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.dhcpmon.exe.1ed70000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.715c48.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.3477815.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.nanocore.exe.1eed1458.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.3547815.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.3357815.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.696a10.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.35b31ec.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.33f5530.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.32d5530.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.5b31b8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.3.dhcpmon.exe.7130f0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.34731ec.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.4940000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.7130f0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.4970000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.35431ec.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.nanocore.exe.1eec0000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.35b31ec.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.47f0000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.dhcpmon.exe.1ed81458.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.35ae3b6.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.nanocore.exe.1eed1458.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.35431ec.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.58b0000.12.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.1ed91458.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.1ed80000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.1ed80000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.7130f0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.353e3b6.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.34731ec.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.334e3b6.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.1ed91458.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.715c48.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.5b31b8.2.raw.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.683529518.0000000000679000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.683529518.0000000000679000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000B.00000002.684555433.0000000002320000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.669624228.000000001EEC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.669624228.000000001EEC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000001.662848703.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000001.662848703.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.684361480.0000000002510000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.909694649.00000000058B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000D.00000001.685346299.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000D.00000001.685346299.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.684499268.00000000034FC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000D.00000002.703714772.00000000033F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000D.00000002.703714772.00000000033F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.691295579.000000001ED80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.691295579.000000001ED80000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000D.00000002.704559063.0000000004FA2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000D.00000002.704559063.0000000004FA2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000B.00000002.683969306.00000000006FC000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000B.00000002.683969306.00000000006FC000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000D.00000002.703774283.000000000342C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.682558622.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.682558622.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.907930500.0000000004A92000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.907930500.0000000004A92000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000B.00000002.683128059.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000B.00000002.683128059.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000B.00000002.686692380.0000000004922000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000B.00000002.686692380.0000000004922000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.671860077.000000001ED70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.671860077.000000001ED70000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000D.00000002.702826612.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000D.00000002.702826612.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000D.00000002.703677926.0000000002440000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.904977643.0000000000598000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.904977643.0000000000598000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000B.00000002.684652674.000000000330C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000B.00000002.686247080.00000000047F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000B.00000002.686247080.00000000047F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000D.00000002.703409413.00000000006E7000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000D.00000002.703409413.00000000006E7000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.685817351.0000000004940000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.685817351.0000000004940000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.684426343.00000000034C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.684426343.00000000034C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.909667904.0000000005820000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000001.645917465.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000001.645917465.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.907047589.0000000004970000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.907047589.0000000004970000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000D.00000002.704356267.0000000004910000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000D.00000002.704356267.0000000004910000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000B.00000001.663544913.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000B.00000001.663544913.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.686102213.00000000049C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.686102213.00000000049C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000B.00000002.684614120.00000000032D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000B.00000002.684614120.00000000032D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.906581049.00000000035AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000D.00000003.685637337.0000000000711000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000D.00000003.685637337.0000000000711000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 5752, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 5752, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 6152, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 6152, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: nanocore.exe PID: 7064, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: nanocore.exe PID: 7064, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: nanocore.exe PID: 7104, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: nanocore.exe PID: 7104, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: nanocore.exe PID: 4108, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: nanocore.exe PID: 4108, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: nanocore.exe PID: 5904, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: nanocore.exe PID: 5904, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 6724, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 6724, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 6704, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 6704, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 11.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.nanocore.exe.1eed1458.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.nanocore.exe.1eed1458.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.nanocore.exe.696a10.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.nanocore.exe.696a10.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.nanocore.exe.5820000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.33531ec.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.4920000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.nanocore.exe.1eec0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.nanocore.exe.1eec0000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.4920000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 11.2.dhcpmon.exe.32d5530.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.nanocore.exe.1eec0000.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 11.2.dhcpmon.exe.32d5530.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.nanocore.exe.1eec0000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.4910000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.dhcpmon.exe.4910000.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.dhcpmon.exe.1ed81458.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.dhcpmon.exe.1ed81458.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.4910000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.dhcpmon.exe.4910000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.nanocore.exe.1eec0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.nanocore.exe.1eec0000.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.nanocore.exe.4940000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.nanocore.exe.4940000.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 11.2.dhcpmon.exe.33531ec.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.33f5530.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.dhcpmon.exe.33f5530.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.nanocore.exe.49c0000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.nanocore.exe.49c0000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.nanocore.exe.58b4629.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.nanocore.exe.4a90000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.nanocore.exe.4a90000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.4fa0000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.dhcpmon.exe.4fa0000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.3.dhcpmon.exe.7130f0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.3.dhcpmon.exe.7130f0.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.nanocore.exe.58b0000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.nanocore.exe.4970000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.nanocore.exe.4970000.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.nanocore.exe.34c5530.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.nanocore.exe.34c5530.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 11.2.dhcpmon.exe.233ba50.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.47f0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.47f0000.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.dhcpmon.exe.1ed70000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.dhcpmon.exe.1ed70000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.nanocore.exe.1eed1458.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.nanocore.exe.1eed1458.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.346e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.dhcpmon.exe.346e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.nanocore.exe.35b7815.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.nanocore.exe.34c5530.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.nanocore.exe.34c5530.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.dhcpmon.exe.1ed70000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.dhcpmon.exe.1ed70000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 11.2.dhcpmon.exe.715c48.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.715c48.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.3477815.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.nanocore.exe.1eed1458.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.nanocore.exe.1eed1458.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.nanocore.exe.3547815.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.3357815.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.245ba50.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.nanocore.exe.696a10.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.nanocore.exe.696a10.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.nanocore.exe.35b31ec.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.33f5530.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.dhcpmon.exe.33f5530.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 11.2.dhcpmon.exe.32d5530.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.32d5530.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.nanocore.exe.5b31b8.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.nanocore.exe.5b31b8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.3.dhcpmon.exe.7130f0.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.3.dhcpmon.exe.7130f0.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.34731ec.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.nanocore.exe.4940000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.nanocore.exe.4940000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.7130f0.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.dhcpmon.exe.7130f0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.nanocore.exe.4970000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.nanocore.exe.4970000.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.nanocore.exe.35431ec.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.nanocore.exe.252b8c4.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.nanocore.exe.1eec0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.nanocore.exe.1eec0000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.nanocore.exe.35b31ec.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.47f0000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.47f0000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.dhcpmon.exe.1ed81458.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.dhcpmon.exe.1ed81458.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.nanocore.exe.35ae3b6.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.nanocore.exe.35ae3b6.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.nanocore.exe.1eed1458.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.nanocore.exe.1eed1458.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.nanocore.exe.35431ec.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.nanocore.exe.58b0000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.dhcpmon.exe.1ed91458.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.dhcpmon.exe.1ed91458.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.dhcpmon.exe.1ed80000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.dhcpmon.exe.1ed80000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.dhcpmon.exe.1ed80000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.dhcpmon.exe.1ed80000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.7130f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.dhcpmon.exe.7130f0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.nanocore.exe.353e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.nanocore.exe.353e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.34731ec.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.334e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.334e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.dhcpmon.exe.1ed91458.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.dhcpmon.exe.1ed91458.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 11.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 11.2.dhcpmon.exe.715c48.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.715c48.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 11.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.nanocore.exe.5b31b8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.nanocore.exe.5b31b8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 1_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 8_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 1_2_004046A7
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_0040A2A5
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_022CE471
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_022CE480
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_022CBBD4
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_051CF5F8
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_051C9788
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 8_2_004046A7
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_0040A2A5
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_022DE471
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_022DE480
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_022DBBD4
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_050DF5F8
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_050D9788
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_050DA5D0
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_05263E30
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_05264A50
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_05264B08
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_1_0040A2A5
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_0040A2A5
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_0215E471
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_0215E480
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_0215BBD4
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_0508F5F8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_05089788
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_0508A5D0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_0508A610
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_05253E30
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_05254A50
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_05254B08
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_1_0040A2A5
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_0040A2A5
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_0499E480
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_0499E470
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_0499BBD4
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_051CF5F8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_051C9788
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_051CA610
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_05393E30
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_05394A50
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_05394B08
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_1_0040A2A5
      Source: C:\Users\user\Desktop\nanocore.exeCode function: String function: 004059BF appears 34 times
      Source: C:\Users\user\Desktop\nanocore.exeCode function: String function: 00401ED0 appears 69 times
      Source: C:\Users\user\Desktop\nanocore.exeCode function: String function: 0040569E appears 54 times
      Source: C:\Users\user\Desktop\nanocore.exeCode function: String function: 00402A9A appears 52 times
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: String function: 00401ED0 appears 92 times
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: String function: 004056B5 appears 32 times
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: String function: 0040569E appears 72 times
      Source: nanocore.exe, 00000001.00000003.643905225.000000001F026000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs nanocore.exe
      Source: nanocore.exe, 00000002.00000002.909718958.00000000058E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs nanocore.exe
      Source: nanocore.exe, 00000002.00000002.909694649.00000000058B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs nanocore.exe
      Source: nanocore.exe, 00000002.00000002.909617684.00000000057B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs nanocore.exe
      Source: nanocore.exe, 00000002.00000002.905801654.0000000002531000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs nanocore.exe
      Source: nanocore.exe, 00000002.00000002.909912427.0000000006530000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs nanocore.exe
      Source: nanocore.exe, 00000002.00000002.909495534.0000000005250000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs nanocore.exe
      Source: nanocore.exe, 00000008.00000003.664138784.000000001F20F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs nanocore.exe
      Source: nanocore.exe, 0000000A.00000002.684361480.0000000002510000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs nanocore.exe
      Source: nanocore.exe, 0000000A.00000002.684361480.0000000002510000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs nanocore.exe
      Source: nanocore.exe, 0000000A.00000002.684499268.00000000034FC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs nanocore.exe
      Source: nanocore.exe, 0000000A.00000002.687348266.0000000005230000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs nanocore.exe
      Source: nanocore.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: 00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.683529518.0000000000679000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.683529518.0000000000679000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000B.00000002.684555433.0000000002320000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.669624228.000000001EEC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.669624228.000000001EEC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.669624228.000000001EEC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000001.662848703.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000001.662848703.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.684361480.0000000002510000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.909694649.00000000058B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.909694649.00000000058B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000D.00000001.685346299.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000D.00000001.685346299.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.684499268.00000000034FC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000D.00000002.703714772.00000000033F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000D.00000002.703714772.00000000033F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.691295579.000000001ED80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.691295579.000000001ED80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.691295579.000000001ED80000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000D.00000002.704559063.0000000004FA2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000D.00000002.704559063.0000000004FA2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000B.00000002.683969306.00000000006FC000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000B.00000002.683969306.00000000006FC000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000D.00000002.703774283.000000000342C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.682558622.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.682558622.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.682558622.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.907930500.0000000004A92000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.907930500.0000000004A92000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000B.00000002.683128059.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000B.00000002.683128059.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000B.00000002.683128059.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000B.00000002.686692380.0000000004922000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000B.00000002.686692380.0000000004922000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.671860077.000000001ED70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.671860077.000000001ED70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000009.00000002.671860077.000000001ED70000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000D.00000002.702826612.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000D.00000002.702826612.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000D.00000002.702826612.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000D.00000002.703677926.0000000002440000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.904977643.0000000000598000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.904977643.0000000000598000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000B.00000002.684652674.000000000330C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000B.00000002.686247080.00000000047F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000B.00000002.686247080.00000000047F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000B.00000002.686247080.00000000047F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000D.00000002.703409413.00000000006E7000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000D.00000002.703409413.00000000006E7000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.685817351.0000000004940000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.685817351.0000000004940000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.685817351.0000000004940000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.684426343.00000000034C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.684426343.00000000034C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.909667904.0000000005820000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.909667904.0000000005820000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000002.00000001.645917465.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000001.645917465.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.907047589.0000000004970000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.907047589.0000000004970000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000002.00000002.907047589.0000000004970000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000D.00000002.704356267.0000000004910000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000D.00000002.704356267.0000000004910000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000D.00000002.704356267.0000000004910000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000B.00000001.663544913.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000B.00000001.663544913.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.686102213.00000000049C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.686102213.00000000049C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000B.00000002.684614120.00000000032D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000B.00000002.684614120.00000000032D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.906581049.00000000035AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000D.00000003.685637337.0000000000711000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000D.00000003.685637337.0000000000711000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 5752, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 5752, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 6152, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 6152, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: nanocore.exe PID: 7064, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: nanocore.exe PID: 7064, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: nanocore.exe PID: 7104, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: nanocore.exe PID: 7104, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: nanocore.exe PID: 4108, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: nanocore.exe PID: 4108, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: nanocore.exe PID: 5904, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: nanocore.exe PID: 5904, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 6724, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 6724, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 6704, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 6704, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 11.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.nanocore.exe.1eed1458.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.nanocore.exe.1eed1458.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.nanocore.exe.1eed1458.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.nanocore.exe.696a10.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.nanocore.exe.696a10.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.nanocore.exe.696a10.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.nanocore.exe.5820000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.nanocore.exe.5820000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.33531ec.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.dhcpmon.exe.33531ec.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.4920000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.dhcpmon.exe.4920000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.nanocore.exe.1eec0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.nanocore.exe.1eec0000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.nanocore.exe.1eec0000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.4920000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 11.2.dhcpmon.exe.32d5530.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.dhcpmon.exe.32d5530.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.nanocore.exe.1eec0000.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.nanocore.exe.1eec0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.32d5530.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.nanocore.exe.1eec0000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.4910000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.4910000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.dhcpmon.exe.4910000.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.dhcpmon.exe.1ed81458.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.dhcpmon.exe.1ed81458.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 9.2.dhcpmon.exe.1ed81458.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.4910000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.4910000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.dhcpmon.exe.4910000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.nanocore.exe.1eec0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.nanocore.exe.1eec0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.nanocore.exe.1eec0000.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.nanocore.exe.4940000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.nanocore.exe.4940000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.nanocore.exe.4940000.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 11.2.dhcpmon.exe.33531ec.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.dhcpmon.exe.33531ec.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.33f5530.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.33f5530.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.dhcpmon.exe.33f5530.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.nanocore.exe.49c0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.nanocore.exe.49c0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.nanocore.exe.49c0000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.nanocore.exe.58b4629.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.nanocore.exe.58b4629.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.nanocore.exe.4a90000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.nanocore.exe.4a90000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.nanocore.exe.4a90000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.4fa0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.4fa0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.dhcpmon.exe.4fa0000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.3.dhcpmon.exe.7130f0.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.3.dhcpmon.exe.7130f0.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.3.dhcpmon.exe.7130f0.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.nanocore.exe.58b0000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.nanocore.exe.58b0000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.nanocore.exe.4970000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.nanocore.exe.4970000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.nanocore.exe.4970000.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.nanocore.exe.34c5530.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.nanocore.exe.34c5530.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.nanocore.exe.34c5530.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 11.2.dhcpmon.exe.233ba50.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.dhcpmon.exe.233ba50.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.47f0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.dhcpmon.exe.47f0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.47f0000.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.dhcpmon.exe.1ed70000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.dhcpmon.exe.1ed70000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 9.2.dhcpmon.exe.1ed70000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.nanocore.exe.1eed1458.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.nanocore.exe.1eed1458.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.nanocore.exe.1eed1458.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.346e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.346e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.dhcpmon.exe.346e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.nanocore.exe.35b7815.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.nanocore.exe.35b7815.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.nanocore.exe.34c5530.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.nanocore.exe.34c5530.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.nanocore.exe.34c5530.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.dhcpmon.exe.1ed70000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.dhcpmon.exe.1ed70000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 9.2.dhcpmon.exe.1ed70000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 11.2.dhcpmon.exe.715c48.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.dhcpmon.exe.715c48.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.715c48.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.3477815.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.3477815.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.nanocore.exe.1eed1458.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.nanocore.exe.1eed1458.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.nanocore.exe.1eed1458.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.nanocore.exe.3547815.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.nanocore.exe.3547815.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.3357815.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.dhcpmon.exe.3357815.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.245ba50.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.245ba50.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.nanocore.exe.696a10.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.nanocore.exe.696a10.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.nanocore.exe.696a10.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.nanocore.exe.35b31ec.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.nanocore.exe.35b31ec.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.33f5530.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.33f5530.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.dhcpmon.exe.33f5530.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 11.2.dhcpmon.exe.32d5530.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.dhcpmon.exe.32d5530.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.32d5530.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.nanocore.exe.5b31b8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.nanocore.exe.5b31b8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.nanocore.exe.5b31b8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.3.dhcpmon.exe.7130f0.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.3.dhcpmon.exe.7130f0.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.3.dhcpmon.exe.7130f0.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.34731ec.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.34731ec.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.nanocore.exe.4940000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.nanocore.exe.4940000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.nanocore.exe.4940000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.7130f0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.7130f0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.dhcpmon.exe.7130f0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.nanocore.exe.4970000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.nanocore.exe.4970000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.nanocore.exe.4970000.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.nanocore.exe.35431ec.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.nanocore.exe.35431ec.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.nanocore.exe.252b8c4.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.nanocore.exe.252b8c4.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.nanocore.exe.1eec0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.nanocore.exe.1eec0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.nanocore.exe.1eec0000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.nanocore.exe.35b31ec.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.nanocore.exe.35b31ec.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.47f0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.dhcpmon.exe.47f0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.47f0000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.dhcpmon.exe.1ed81458.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.dhcpmon.exe.1ed81458.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 9.2.dhcpmon.exe.1ed81458.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.nanocore.exe.35ae3b6.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.nanocore.exe.35ae3b6.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.nanocore.exe.35ae3b6.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.nanocore.exe.1eed1458.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.nanocore.exe.1eed1458.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.nanocore.exe.1eed1458.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.nanocore.exe.35431ec.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.nanocore.exe.35431ec.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.nanocore.exe.58b0000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.nanocore.exe.58b0000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.dhcpmon.exe.1ed91458.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.dhcpmon.exe.1ed91458.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.dhcpmon.exe.1ed91458.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.dhcpmon.exe.1ed80000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.dhcpmon.exe.1ed80000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.dhcpmon.exe.1ed80000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.dhcpmon.exe.1ed80000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.dhcpmon.exe.1ed80000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.dhcpmon.exe.1ed80000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.7130f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.7130f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.dhcpmon.exe.7130f0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.nanocore.exe.353e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.nanocore.exe.353e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.nanocore.exe.353e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.34731ec.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.34731ec.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.334e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.dhcpmon.exe.334e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.334e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.dhcpmon.exe.1ed91458.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.dhcpmon.exe.1ed91458.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.dhcpmon.exe.1ed91458.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 11.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 11.2.dhcpmon.exe.715c48.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.dhcpmon.exe.715c48.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.715c48.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 11.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.nanocore.exe.5b31b8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.nanocore.exe.5b31b8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.nanocore.exe.5b31b8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.nanocore.exe.4a90000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 2.2.nanocore.exe.4a90000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 2.2.nanocore.exe.4a90000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 10.2.nanocore.exe.49c0000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 10.2.nanocore.exe.49c0000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 10.2.nanocore.exe.49c0000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 11.2.dhcpmon.exe.4920000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 11.2.dhcpmon.exe.4920000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 11.2.dhcpmon.exe.4920000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 2.2.nanocore.exe.4a90000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 2.2.nanocore.exe.4a90000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 11.2.dhcpmon.exe.4920000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 11.2.dhcpmon.exe.4920000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 13.2.dhcpmon.exe.4fa0000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 13.2.dhcpmon.exe.4fa0000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 10.2.nanocore.exe.49c0000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 10.2.nanocore.exe.49c0000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: classification engineClassification label: mal100.troj.evad.winEXE@18/20@24/2
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 1_2_004041E5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 1_2_004020A6 CoCreateInstance,MultiByteToWideChar,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,
      Source: C:\Users\user\Desktop\nanocore.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5820:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_01
      Source: C:\Users\user\Desktop\nanocore.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{bee718f3-e47a-44f8-955e-2fe2c6c0351c}
      Source: C:\Users\user\Desktop\nanocore.exeFile created: C:\Users\user\AppData\Local\Temp\nss2662.tmpJump to behavior
      Source: nanocore.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\nanocore.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\nanocore.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\nanocore.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: nanocore.exeVirustotal: Detection: 21%
      Source: nanocore.exeReversingLabs: Detection: 34%
      Source: C:\Users\user\Desktop\nanocore.exeFile read: C:\Users\user\Desktop\nanocore.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\nanocore.exe 'C:\Users\user\Desktop\nanocore.exe'
      Source: C:\Users\user\Desktop\nanocore.exeProcess created: C:\Users\user\Desktop\nanocore.exe 'C:\Users\user\Desktop\nanocore.exe'
      Source: C:\Users\user\Desktop\nanocore.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp38C1.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\nanocore.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3B81.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\nanocore.exe C:\Users\user\Desktop\nanocore.exe 0
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
      Source: C:\Users\user\Desktop\nanocore.exeProcess created: C:\Users\user\Desktop\nanocore.exe C:\Users\user\Desktop\nanocore.exe 0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: C:\Users\user\Desktop\nanocore.exeProcess created: C:\Users\user\Desktop\nanocore.exe 'C:\Users\user\Desktop\nanocore.exe'
      Source: C:\Users\user\Desktop\nanocore.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp38C1.tmp'
      Source: C:\Users\user\Desktop\nanocore.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3B81.tmp'
      Source: C:\Users\user\Desktop\nanocore.exeProcess created: C:\Users\user\Desktop\nanocore.exe C:\Users\user\Desktop\nanocore.exe 0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: C:\Users\user\Desktop\nanocore.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
      Source: C:\Users\user\Desktop\nanocore.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: Binary string: wntdll.pdbUGP source: nanocore.exe, 00000001.00000003.642186988.000000001EF10000.00000004.00000001.sdmp, nanocore.exe, 00000008.00000003.662832821.000000001EF60000.00000004.00000001.sdmp, dhcpmon.exe, 00000009.00000003.662538555.000000001EE10000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000003.682182243.000000001EE20000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdb source: nanocore.exe, 00000001.00000003.642186988.000000001EF10000.00000004.00000001.sdmp, nanocore.exe, 00000008.00000003.662832821.000000001EF60000.00000004.00000001.sdmp, dhcpmon.exe, 00000009.00000003.662538555.000000001EE10000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000003.682182243.000000001EE20000.00000004.00000001.sdmp

      Data Obfuscation:

      barindex
      Detected unpacking (changes PE section rights)Show sources
      Source: C:\Users\user\Desktop\nanocore.exeUnpacked PE file: 2.2.nanocore.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
      Source: C:\Users\user\Desktop\nanocore.exeUnpacked PE file: 10.2.nanocore.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 11.2.dhcpmon.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 13.2.dhcpmon.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
      Detected unpacking (creates a PE file in dynamic memory)Show sources
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 11.2.dhcpmon.exe.4920000.9.unpack
      Detected unpacking (overwrites its own PE header)Show sources
      Source: C:\Users\user\Desktop\nanocore.exeUnpacked PE file: 2.2.nanocore.exe.400000.0.unpack
      Source: C:\Users\user\Desktop\nanocore.exeUnpacked PE file: 10.2.nanocore.exe.400000.0.unpack
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 11.2.dhcpmon.exe.400000.0.unpack
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 13.2.dhcpmon.exe.400000.1.unpack
      .NET source code contains potential unpackerShow sources
      Source: 2.2.nanocore.exe.4a90000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 2.2.nanocore.exe.4a90000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 10.2.nanocore.exe.49c0000.9.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 10.2.nanocore.exe.49c0000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 11.2.dhcpmon.exe.4920000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 11.2.dhcpmon.exe.4920000.9.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 13.2.dhcpmon.exe.4fa0000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 13.2.dhcpmon.exe.4fa0000.9.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 1_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_00401F16 push ecx; ret
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_051C7648 push eax; iretd
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_00401F16 push ecx; ret
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_050D7648 push eax; iretd
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_05266E5D push FFFFFF8Bh; iretd
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_1_00401F16 push ecx; ret
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00401F16 push ecx; ret
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_05087648 push eax; iretd
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_05256E5D push FFFFFF8Bh; iretd
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_1_00401F16 push ecx; ret
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00401F16 push ecx; ret
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_051C7648 push eax; iretd
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_05396E5D push FFFFFF8Bh; iretd
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_1_00401F16 push ecx; ret
      Source: 2.2.nanocore.exe.4a90000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 2.2.nanocore.exe.4a90000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 10.2.nanocore.exe.49c0000.9.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 10.2.nanocore.exe.49c0000.9.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 11.2.dhcpmon.exe.4920000.9.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 11.2.dhcpmon.exe.4920000.9.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 13.2.dhcpmon.exe.4fa0000.9.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 13.2.dhcpmon.exe.4fa0000.9.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile created: C:\Users\user\AppData\Local\Temp\nse444B.tmp\4rmzuajr4dtt.dllJump to dropped file
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile created: C:\Users\user\AppData\Local\Temp\nsq6D11.tmp\4rmzuajr4dtt.dllJump to dropped file
      Source: C:\Users\user\Desktop\nanocore.exeFile created: C:\Users\user\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dllJump to dropped file
      Source: C:\Users\user\Desktop\nanocore.exeFile created: C:\Users\user\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dllJump to dropped file
      Source: C:\Users\user\Desktop\nanocore.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: C:\Users\user\Desktop\nanocore.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp38C1.tmp'

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\nanocore.exeFile opened: C:\Users\user\Desktop\nanocore.exe:Zone.Identifier read attributes | delete
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: C:\Users\user\Desktop\nanocore.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\nanocore.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\nanocore.exeWindow / User API: threadDelayed 4165
      Source: C:\Users\user\Desktop\nanocore.exeWindow / User API: threadDelayed 5343
      Source: C:\Users\user\Desktop\nanocore.exeWindow / User API: foregroundWindowGot 941
      Source: C:\Users\user\Desktop\nanocore.exe TID: 6304Thread sleep time: -13835058055282155s >= -30000s
      Source: C:\Users\user\Desktop\nanocore.exe TID: 3136Thread sleep count: 39 > 30
      Source: C:\Users\user\Desktop\nanocore.exe TID: 6792Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 864Thread sleep count: 42 > 30
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4780Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7156Thread sleep count: 41 > 30
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7036Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 1_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 1_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 1_2_004026BC FindFirstFileA,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_00404A29 FindFirstFileExW,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 8_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 8_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 8_2_004026BC FindFirstFileA,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_00404A29 FindFirstFileExW,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_1_00404A29 FindFirstFileExW,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00404A29 FindFirstFileExW,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_1_00404A29 FindFirstFileExW,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00404A29 FindFirstFileExW,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_1_00404A29 FindFirstFileExW,
      Source: C:\Users\user\Desktop\nanocore.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\nanocore.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: nanocore.exe, 00000002.00000002.909912427.0000000006530000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: nanocore.exe, 00000002.00000002.909912427.0000000006530000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: nanocore.exe, 00000002.00000002.909912427.0000000006530000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: nanocore.exe, 00000002.00000002.909912427.0000000006530000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\nanocore.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 1_2_6FC71000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 1_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 1_2_02CB168F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 1_2_02CB18A7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_004035F1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 8_2_02CB168F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 8_2_02CB18A7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_0254168F mov eax, dword ptr fs:[00000030h]
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_025418A7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_004035F1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_1_004035F1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_004035F1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_1_004035F1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02B718A7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02B7168F mov eax, dword ptr fs:[00000030h]
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_004035F1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_1_004035F1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_004067FE GetProcessHeap,
      Source: C:\Users\user\Desktop\nanocore.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_00401E1D SetUnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_00401E1D SetUnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_1_00401E1D SetUnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00401E1D SetUnhandledExceptionFilter,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_1_00401E1D SetUnhandledExceptionFilter,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00401E1D SetUnhandledExceptionFilter,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_1_00401E1D SetUnhandledExceptionFilter,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Users\user\Desktop\nanocore.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Contains functionality to prevent local Windows debuggingShow sources
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 1_2_6FC71000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 8_2_6EEC1000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_6EDA1000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_6F651000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\user\Desktop\nanocore.exeSection loaded: unknown target: C:\Users\user\Desktop\nanocore.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\nanocore.exeSection loaded: unknown target: C:\Users\user\Desktop\nanocore.exe protection: execute and read and write
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: unknown target: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe protection: execute and read and write
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: unknown target: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\nanocore.exeProcess created: C:\Users\user\Desktop\nanocore.exe 'C:\Users\user\Desktop\nanocore.exe'
      Source: C:\Users\user\Desktop\nanocore.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp38C1.tmp'
      Source: C:\Users\user\Desktop\nanocore.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3B81.tmp'
      Source: C:\Users\user\Desktop\nanocore.exeProcess created: C:\Users\user\Desktop\nanocore.exe C:\Users\user\Desktop\nanocore.exe 0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: nanocore.exe, 00000002.00000002.906510253.0000000002AE3000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: nanocore.exe, 00000002.00000002.905490910.0000000000E60000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: nanocore.exe, 00000002.00000002.905490910.0000000000E60000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: nanocore.exe, 00000002.00000002.909739780.0000000005A2D000.00000004.00000001.sdmpBinary or memory string: Program Managerp
      Source: nanocore.exe, 00000002.00000002.905490910.0000000000E60000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: nanocore.exe, 00000002.00000002.905801654.0000000002531000.00000004.00000001.sdmpBinary or memory string: Program Manager\9'
      Source: nanocore.exe, 00000002.00000002.909609083.000000000579C000.00000004.00000001.sdmpBinary or memory string: Program ManagerpJ
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_0040208D cpuid
      Source: C:\Users\user\Desktop\nanocore.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\nanocore.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\nanocore.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\nanocore.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\nanocore.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\nanocore.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\nanocore.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\nanocore.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
      Source: C:\Users\user\Desktop\nanocore.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.683529518.0000000000679000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.669624228.000000001EEC0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000001.662848703.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.909694649.00000000058B0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000001.685346299.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.684499268.00000000034FC000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.703714772.00000000033F1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.691295579.000000001ED80000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.704559063.0000000004FA2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.683969306.00000000006FC000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.703774283.000000000342C000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.682558622.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.907930500.0000000004A92000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.683128059.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.686692380.0000000004922000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.671860077.000000001ED70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.702826612.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.905801654.0000000002531000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.904977643.0000000000598000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.684652674.000000000330C000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.686247080.00000000047F0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.703409413.00000000006E7000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.685817351.0000000004940000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.684426343.00000000034C1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000001.645917465.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.907047589.0000000004970000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.704356267.0000000004910000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000001.663544913.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.686102213.00000000049C2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.684614120.00000000032D1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.906581049.00000000035AC000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000003.685637337.0000000000711000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5752, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6152, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: nanocore.exe PID: 7064, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: nanocore.exe PID: 7104, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: nanocore.exe PID: 4108, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: nanocore.exe PID: 5904, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6724, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6704, type: MEMORY
      Source: Yara matchFile source: 10.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.nanocore.exe.1eed1458.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.696a10.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.33531ec.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.4920000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.nanocore.exe.1eec0000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.32d5530.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.nanocore.exe.1eec0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.4910000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.dhcpmon.exe.1ed81458.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.4910000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.nanocore.exe.1eec0000.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.4940000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.33531ec.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.33f5530.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.49c0000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.58b4629.13.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.4a90000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.4fa0000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.3.dhcpmon.exe.7130f0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.58b0000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.4970000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.34c5530.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.47f0000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.dhcpmon.exe.1ed70000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.nanocore.exe.1eed1458.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.346e3b6.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.35b7815.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.34c5530.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.dhcpmon.exe.1ed70000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.715c48.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.3477815.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.nanocore.exe.1eed1458.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.3547815.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.3357815.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.696a10.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.35b31ec.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.33f5530.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.32d5530.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.5b31b8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.3.dhcpmon.exe.7130f0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.34731ec.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.4940000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.7130f0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.4970000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.35431ec.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.nanocore.exe.1eec0000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.35b31ec.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.47f0000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.dhcpmon.exe.1ed81458.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.35ae3b6.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.nanocore.exe.1eed1458.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.35431ec.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.58b0000.12.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.1ed91458.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.1ed80000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.1ed80000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.7130f0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.353e3b6.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.34731ec.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.334e3b6.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.1ed91458.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.715c48.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.5b31b8.2.raw.unpack, type: UNPACKEDPE

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: nanocore.exe, 00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: nanocore.exeString found in binary or memory: NanoCore.ClientPluginHost
      Source: nanocore.exe, 00000002.00000002.905801654.0000000002531000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: nanocore.exe, 00000008.00000002.669624228.000000001EEC0000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 00000009.00000002.671860077.000000001ED70000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: nanocore.exeString found in binary or memory: NanoCore.ClientPluginHost
      Source: nanocore.exe, 0000000A.00000002.684361480.0000000002510000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: dhcpmon.exeString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 0000000B.00000002.684555433.0000000002320000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: dhcpmon.exe, 0000000C.00000002.691295579.000000001ED80000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exeString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 0000000D.00000002.703774283.000000000342C000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.683529518.0000000000679000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.669624228.000000001EEC0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000001.662848703.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.909694649.00000000058B0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000001.685346299.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.684499268.00000000034FC000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.703714772.00000000033F1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.691295579.000000001ED80000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.704559063.0000000004FA2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.683969306.00000000006FC000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.703774283.000000000342C000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.682558622.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.907930500.0000000004A92000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.683128059.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.686692380.0000000004922000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.671860077.000000001ED70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.702826612.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.905801654.0000000002531000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.904977643.0000000000598000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.684652674.000000000330C000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.686247080.00000000047F0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.703409413.00000000006E7000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.685817351.0000000004940000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.684426343.00000000034C1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000001.645917465.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.907047589.0000000004970000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.704356267.0000000004910000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000001.663544913.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.686102213.00000000049C2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.684614120.00000000032D1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.906581049.00000000035AC000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000003.685637337.0000000000711000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5752, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6152, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: nanocore.exe PID: 7064, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: nanocore.exe PID: 7104, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: nanocore.exe PID: 4108, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: nanocore.exe PID: 5904, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6724, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6704, type: MEMORY
      Source: Yara matchFile source: 10.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.nanocore.exe.1eed1458.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.696a10.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.33531ec.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.4920000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.nanocore.exe.1eec0000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.32d5530.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.nanocore.exe.1eec0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.4910000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.dhcpmon.exe.1ed81458.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.4910000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.nanocore.exe.1eec0000.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.4940000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.33531ec.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.33f5530.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.49c0000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.58b4629.13.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.4a90000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.4fa0000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.3.dhcpmon.exe.7130f0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.58b0000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.4970000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.34c5530.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.47f0000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.dhcpmon.exe.1ed70000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.nanocore.exe.1eed1458.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.346e3b6.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.35b7815.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.34c5530.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.dhcpmon.exe.1ed70000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.715c48.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.3477815.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.nanocore.exe.1eed1458.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.3547815.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.3357815.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.696a10.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.35b31ec.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.33f5530.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.32d5530.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.5b31b8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.3.dhcpmon.exe.7130f0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.34731ec.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.4940000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.7130f0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.4970000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.35431ec.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.nanocore.exe.1eec0000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.35b31ec.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.47f0000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.dhcpmon.exe.1ed81458.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.35ae3b6.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.nanocore.exe.1eed1458.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.35431ec.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.58b0000.12.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.1ed91458.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.1ed80000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.1ed80000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.7130f0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.353e3b6.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.34731ec.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.334e3b6.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.1ed91458.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.715c48.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.5b31b8.2.raw.unpack, type: UNPACKEDPE

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsNative API1Scheduled Task/Job1Process Injection212Disable or Modify Tools1Input Capture21System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
      Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Deobfuscate/Decode Files or Information11LSASS MemoryFile and Directory Discovery2Remote Desktop ProtocolInput Capture21Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Security Account ManagerSystem Information Discovery24SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing41NTDSSecurity Software Discovery131Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading2LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion31Cached Domain CredentialsVirtualization/Sandbox Evasion31VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection212DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 384377 Sample: nanocore.exe Startdate: 09/04/2021 Architecture: WINDOWS Score: 100 59 chinomso.duckdns.org 2->59 65 Multi AV Scanner detection for domain / URL 2->65 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 13 other signatures 2->71 9 nanocore.exe 18 2->9         started        14 dhcpmon.exe 16 2->14         started        16 nanocore.exe 16 2->16         started        18 dhcpmon.exe 16 2->18         started        signatures3 process4 dnsIp5 63 192.168.2.1 unknown unknown 9->63 51 C:\Users\user\AppData\...\4rmzuajr4dtt.dll, PE32 9->51 dropped 75 Detected unpacking (changes PE section rights) 9->75 77 Detected unpacking (overwrites its own PE header) 9->77 79 Uses schtasks.exe or at.exe to add and modify task schedules 9->79 81 Contains functionality to prevent local Windows debugging 9->81 20 nanocore.exe 1 12 9->20         started        53 C:\Users\user\AppData\...\4rmzuajr4dtt.dll, PE32 14->53 dropped 83 Maps a DLL or memory area into another process 14->83 25 dhcpmon.exe 3 14->25         started        55 C:\Users\user\AppData\...\4rmzuajr4dtt.dll, PE32 16->55 dropped 27 nanocore.exe 3 16->27         started        57 C:\Users\user\AppData\...\4rmzuajr4dtt.dll, PE32 18->57 dropped 29 dhcpmon.exe 2 18->29         started        file6 signatures7 process8 dnsIp9 61 chinomso.duckdns.org 213.208.152.210, 49740, 49746, 49747 NEXTLAYER-ASAT Austria 20->61 39 C:\Program Files (x86)\...\dhcpmon.exe, PE32 20->39 dropped 41 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 20->41 dropped 43 C:\Users\user\AppData\Local\...\tmp38C1.tmp, XML 20->43 dropped 45 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 20->45 dropped 73 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->73 31 schtasks.exe 1 20->31         started        33 schtasks.exe 1 20->33         started        47 C:\Users\user\AppData\...\dhcpmon.exe.log, ASCII 25->47 dropped 49 C:\Users\user\AppData\...\nanocore.exe.log, ASCII 27->49 dropped file10 signatures11 process12 process13 35 conhost.exe 31->35         started        37 conhost.exe 33->37         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      nanocore.exe21%VirustotalBrowse
      nanocore.exe34%ReversingLabsWin32.Trojan.Predator

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe34%ReversingLabsWin32.Trojan.Predator
      C:\Users\user\AppData\Local\Temp\nse444B.tmp\4rmzuajr4dtt.dll24%ReversingLabsWin32.Trojan.Predator
      C:\Users\user\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dll24%ReversingLabsWin32.Trojan.Predator
      C:\Users\user\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dll24%ReversingLabsWin32.Trojan.Predator
      C:\Users\user\AppData\Local\Temp\nsq6D11.tmp\4rmzuajr4dtt.dll24%ReversingLabsWin32.Trojan.Predator

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      11.2.dhcpmon.exe.4920000.9.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      13.2.dhcpmon.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      10.2.nanocore.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      10.2.nanocore.exe.49c0000.9.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      2.2.nanocore.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      2.2.nanocore.exe.4a90000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      13.2.dhcpmon.exe.4fa0000.9.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      2.2.nanocore.exe.58b0000.12.unpack100%AviraTR/NanoCore.fadteDownload File
      2.1.nanocore.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      1.2.nanocore.exe.6fc70000.6.unpack100%AviraHEUR/AGEN.1131513Download File
      8.2.nanocore.exe.6eec0000.6.unpack100%AviraHEUR/AGEN.1131513Download File
      9.2.dhcpmon.exe.6eda0000.6.unpack100%AviraHEUR/AGEN.1131513Download File
      11.1.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      12.2.dhcpmon.exe.6f650000.6.unpack100%AviraHEUR/AGEN.1131513Download File
      11.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      10.1.nanocore.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      13.1.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      SourceDetectionScannerLabelLink
      chinomso.duckdns.org9%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      chinomso.duckdns.org0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      chinomso.duckdns.org
      		213.208.152.210
      		truetrueunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      chinomso.duckdns.orgtrue
      • Avira URL Cloud: safe
      		unknown

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious
      213.208.152.210
      		chinomso.duckdns.orgAustria
      		1764NEXTLAYER-ASATtrue

      Private

      IP
      192.168.2.1

      General Information

      Joe Sandbox Version:31.0.0 Emerald
      Analysis ID:384377
      Start date:09.04.2021
      Start time:01:07:10
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 13m 3s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:nanocore.exe
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:28
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal100.troj.evad.winEXE@18/20@24/2
      EGA Information:Failed
      HDC Information:
      • Successful, ratio: 11.1% (good quality ratio 10.2%)
      • Quality average: 76.5%
      • Quality standard deviation: 31.4%
      HCA Information:
      • Successful, ratio: 96%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .exe
      Warnings:
      Show All
      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
      • TCP Packets have been reduced to 100
      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
      • Excluded IPs from analysis (whitelisted): 40.88.32.150, 23.54.113.45, 23.54.113.53, 104.43.139.144, 168.61.161.212, 13.64.90.137, 52.255.188.83, 20.82.210.154, 23.10.249.26, 23.10.249.43, 52.155.217.156, 20.54.26.129
      • Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, storeedgefd.dsx.mp.microsoft.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, skypedataprdcolcus16.cloudapp.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
      • Report creation exceeded maximum time and may have missing disassembly code information.
      • Report size exceeded maximum capacity and may have missing behavior information.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      01:08:01Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\nanocore.exe" s>$(Arg0)
      01:08:01API Interceptor1034x Sleep call for process: nanocore.exe modified
      01:08:02Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
      01:08:04AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      213.208.152.210TNT AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
        Uv8hwOAKgm.exeGet hashmaliciousBrowse

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          chinomso.duckdns.orgTNT AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
          • 213.208.152.210
          Uv8hwOAKgm.exeGet hashmaliciousBrowse
          • 213.208.152.210
          DHL AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
          • 98.143.144.221
          DHL AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
          • 185.150.24.55
          DHL AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
          • 185.150.24.55
          PAYMENT COPY.exeGet hashmaliciousBrowse
          • 185.150.24.55
          Ku2bTlXUN4.exeGet hashmaliciousBrowse
          • 197.211.59.64
          PAYMENT COPY.exeGet hashmaliciousBrowse
          • 185.150.24.55
          CHEQUE COPY RECEIPT.exeGet hashmaliciousBrowse
          • 185.150.24.55
          CHEQUE COPY.exeGet hashmaliciousBrowse
          • 185.150.24.55
          PAYMENT COPY RECEIPT.exeGet hashmaliciousBrowse
          • 185.150.24.55
          Shiping Doc BL.exeGet hashmaliciousBrowse
          • 194.5.98.157
          Shiping Doc BL.exeGet hashmaliciousBrowse
          • 194.5.98.157
          Shiping Doc BL.exeGet hashmaliciousBrowse
          • 194.5.98.157
          Shiping Doc BL.exeGet hashmaliciousBrowse
          • 194.5.98.157
          Shiping Doc BL.exeGet hashmaliciousBrowse
          • 194.5.98.157
          Shiping Doc BL.exeGet hashmaliciousBrowse
          • 194.5.98.157
          DHL AWB TRACKING DETAIL.exeGet hashmaliciousBrowse
          • 194.5.98.56
          odou7cg844.exeGet hashmaliciousBrowse
          • 129.205.124.145
          DHL AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
          • 185.244.30.86

          ASN

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          NEXTLAYER-ASATTNT AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
          • 213.208.152.210
          Uv8hwOAKgm.exeGet hashmaliciousBrowse
          • 213.208.152.210
          index_2021-03-02-12_11.dllGet hashmaliciousBrowse
          • 213.208.134.178
          AI5aGob7HV.dllGet hashmaliciousBrowse
          • 213.208.134.178
          SkQguXQerV.dllGet hashmaliciousBrowse
          • 213.208.134.178
          LVFIZ8uZzp.dllGet hashmaliciousBrowse
          • 213.208.134.178
          Statement as of_03_01_2021.xlsmGet hashmaliciousBrowse
          • 213.208.134.178
          printouts_of_outstanding_as_of_mar_01_2021.xlsmGet hashmaliciousBrowse
          • 213.208.134.178
          A43zoxMv6x.dllGet hashmaliciousBrowse
          • 213.208.134.178
          2rS70o1G3T.dllGet hashmaliciousBrowse
          • 213.208.134.178
          eXeMEWy2CI.dllGet hashmaliciousBrowse
          • 213.208.134.178
          3TWrYtkzly.dllGet hashmaliciousBrowse
          • 213.208.134.178
          Statement_of_Account_as_of_mar_01_2021.xlsmGet hashmaliciousBrowse
          • 213.208.134.178
          index_2021-03-01-17_13.dllGet hashmaliciousBrowse
          • 213.208.134.178
          printouts_of_outstanding_as_of_03_01_2021.xlsmGet hashmaliciousBrowse
          • 213.208.134.178
          DZoj4wicd0.dllGet hashmaliciousBrowse
          • 213.208.134.178
          uwq8T3mqDx.dllGet hashmaliciousBrowse
          • 213.208.134.178
          E2uiGA3X2v.dllGet hashmaliciousBrowse
          • 213.208.134.178
          RjIx2AoDBJ.dllGet hashmaliciousBrowse
          • 213.208.134.178
          v2dw80uF0x.dllGet hashmaliciousBrowse
          • 213.208.134.178

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Process:C:\Users\user\Desktop\nanocore.exe
          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
          Category:dropped
          Size (bytes):321222
          Entropy (8bit):7.952258735347819
          Encrypted:false
          SSDEEP:6144:HdlwCtaK8BqoNWDCANNpFONOXopiTgRXWTZU3qC4XpO5BDiQ2KHeG:/xtaR0oQDCANPYNNpUDJX45BkEeG
          MD5:08803CC817D8B1046A964AF11685B15C
          SHA1:8D76CC9E4E21F90AAA0D2A8E9DD88CCB03349F29
          SHA-256:00343EF156007C41A76ABEBE2B0304AACC7E2B12E0D30EA476ECF8C847A54DFC
          SHA-512:BF548910BE04B74D3A8BF8F058D642DAC070D0CC94CA4EAC04EBC4341967ACFD65E5B64232BE0345994B05A847C7501C122D6F70AEB1FE7121BC8F093028C2F3
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 34%
          Reputation:low
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.H............,...........:...!........&......e.......Rich....................PE..L.....8E.................Z....9.....J1.......p....@...........................:.............................................Ds........:..............................................................................p...............................text....Y.......Z.................. ..`.rdata.......p.......^..............@..@.data...4.9..........p..............@....ndata.......@:..........................rsrc.........:......t..............@..@........................................................................................................................................................................................................................................................................................................................................................
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
          Process:C:\Users\user\Desktop\nanocore.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):26
          Entropy (8bit):3.95006375643621
          Encrypted:false
          SSDEEP:3:ggPYV:rPYV
          MD5:187F488E27DB4AF347237FE461A079AD
          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
          Malicious:true
          Reputation:high, very likely benign file
          Preview: [ZoneTransfer]....ZoneId=0
          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):1216
          Entropy (8bit):5.355304211458859
          Encrypted:false
          SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
          MD5:69206D3AF7D6EFD08F4B4726998856D3
          SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
          SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
          SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
          Malicious:true
          Reputation:moderate, very likely benign file
          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nanocore.exe.log
          Process:C:\Users\user\Desktop\nanocore.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):1216
          Entropy (8bit):5.355304211458859
          Encrypted:false
          SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
          MD5:69206D3AF7D6EFD08F4B4726998856D3
          SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
          SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
          SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
          Malicious:true
          Reputation:moderate, very likely benign file
          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
          C:\Users\user\AppData\Local\Temp\6tts4zykw681emdi
          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          File Type:data
          Category:dropped
          Size (bytes):279040
          Entropy (8bit):7.999366542899994
          Encrypted:true
          SSDEEP:6144:BtaK8BqoNWDCANNpFONOXopiTgRXWTZU3qC4XpO5BDiQ2KH5:BtaR0oQDCANPYNNpUDJX45BkE5
          MD5:87317BA0D399E3C709FEE0DD272B7ED2
          SHA1:7A5685DA841B945A6B73BD383D05A83357317296
          SHA-256:96C109DF379172E6953F1E7F38B8C2A638989012662ACDE523BDB7E955F80B68
          SHA-512:8A93D135BD61C1CF00EA7A5E6CCC87BC84C050BE501B3E89829C759463002CFE7B62E52A7C48D1A391BDCF6311014107F8888A81CAFAD4E90B687052389C616C
          Malicious:false
          Reputation:low
          Preview: ..x.].].#..o,s:.'...\.X.,......O...V....'*...%..W\.L..j...j..0+......s2u..;......q>..Q>.R.-...'...h.'/)Z.0....Bc.[.P.).$!p...S...@D.`I?."N7.59@.6&=A#&.......9......,..mmj_.).3.s._4.7..N...L..$.U..k.g..3..#X..........1...i...s.......sD...P...,.g.T..v{A.+.}_:..(2.%.Y.].N...Y.b.,l...^...-jAP@ik.p0l.J{6.K.6.A..>..5...A.$'....lhR 0...pn.+....0.....v..LD....>..a...G.Z.....,..Bh..F.}.pY. b0<......R=.n..{xV.2}..Y.....*h6Y@.._.+K.S%.../...DP..G....4x......t..=..p..Z....oH.mG..g...d..z.v.E.g.%.....w.d......<.....j..j.AH....F.1...lY.oWb.F..............w[...A.J[du.....QK.j.:..,..h;F..H..],.92v..1....PB.V.H..t...4..b.....s.6..3Go...b...U...EF ......H.Q7...s...M).00.f\3 ..i..u..=...p...zp.....H.H..t..]........b.f.\n..H.Q-w..S...6....L....4.'1.u....1..b.....<..2}....@..6..-.....'\..l%.Q.x...^7.x..`.. ....ux.!3[..o<......D...L.>l........}sy....$.|.W....p..$0.sH94..rE.....b..U[.!.....A........j.z.eD...d.O'......".os.}D..oG....1.D...P2~KJ..a..d...u.
          C:\Users\user\AppData\Local\Temp\ks446tcfy17w7jqy3r
          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          File Type:data
          Category:dropped
          Size (bytes):6661
          Entropy (8bit):7.968813365057691
          Encrypted:false
          SSDEEP:96:vQgv6/j3/PiDWkEusDpXtPYTTHfQk01XYNqHhf3/pQI1opkSuWIxMuOpmAd7g:Y9TNDNtPTGNqHhfRQDNIxSpmsk
          MD5:524E815672556CC3AA17CD643C9A351B
          SHA1:49CF76A2F0F2154A7D81D0800DA2B91F0B470DAA
          SHA-256:0F511CF2EAF33C2F20F912E88EBC0A4421780CDDC561C0AE8512E97EEFDF2A70
          SHA-512:BDCCA0642C4EA27FD4ED06411657EBD2665CF9BBA06FB84DEB68AF6DF387FDD4F932E423006B409B424A45B1B94E6CEEF0CF384F46BF86E181F9FF2298A39D23
          Malicious:false
          Preview: .MlN...P..cN.*....o%.vP..*...9/......m6.!.......T"b......(d..@J.zNL..rVz.....Q.._AAA..?Ry9......e..rXWj..T^t8..&...u..qO.c..eZs3.....Y.LV.X..f>>.......Y.Ke.=..kRE..>.".U.F\.N..hFx.../...m..=kd_".yJ?.... .I.@but5.zFR...L{8.....-..8...7.B.I.JE..p.r;.|.3.6.......0.E.7.EZ..E.]$.{...........p.{.@G4..4...........|FAH..V.N:..D......{U.M..[.u5..$......vlN^..X.H4....%...m[TO..i.o/........pReD%.j.B....+...GYVY..g.A....]R.....9.Q3........vO...H...@b.....R......k_..R.~&E....Q.(Oa..N..I.R..M.,Sa..j.0.^*8.i.....&j..+-...e.Gs0....l^..D..!..P.)#>z.`.`..lb......Z^.h;|..pB`<.X...r.7nK.5u..l.%_%v..J[.1q...s3....q...;h..0*....m.%.......HO..G.0.E....".#.......z[..A.9~C..&...+...0~.yc?.....Y:Fo=..........H.6JR..T@.~(....D}.xNh....._..cOL..MK...=.....s+F...V......@..&..%~..yF..no.6.a!....$7...z..`]....}:...aI_.:...yy..?...L..u...S5..1r...{%..tq..].1.s3.....m..,.\....*...o.II.-EK............e..T.K.\...Xq..UP......".........z..@.\.:`iK...E J\
          C:\Users\user\AppData\Local\Temp\nse444B.tmp\4rmzuajr4dtt.dll
          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):5120
          Entropy (8bit):4.188029460900488
          Encrypted:false
          SSDEEP:48:StRJBN/SHIPAK6v5PXha+HGLFHIPAROGa4zzBvoAXAdUMQ9BgqRuqS:GN/KIZ6xYLlIhGXHBgVueKx
          MD5:422D5CA3EDC5BA6E946720C8E1FD69F9
          SHA1:8009E5F7EF9CF4B43DE28D8A11048C195A887EE7
          SHA-256:4D78BB146725F4E19EC267E7DDDC6074F99561482693C6F0CF2C0C64A9EA76A1
          SHA-512:6B3B67C076EE5E61C1EC196D117FF564E7302256C20342750F8CAE761CDE76231B309AEF3A002FD9F0474BDA658DF80577A273EEF30387DE1C56013BD89100E7
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 24%
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;T..hT..hT..h@..iG..hT..h{..h...iU..h...iU..h...hU..h...iU..hRichT..h................PE..L.....n`...........!......................... ...............................`............@.........................0!..T...p".......@.......................P..p....!............................................... ...............................text............................... ..`.rdata..@.... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..p....P......................@..B................................................................................................................................................................................................................................................................................................................................................
          C:\Users\user\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dll
          Process:C:\Users\user\Desktop\nanocore.exe
          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):5120
          Entropy (8bit):4.188029460900488
          Encrypted:false
          SSDEEP:48:StRJBN/SHIPAK6v5PXha+HGLFHIPAROGa4zzBvoAXAdUMQ9BgqRuqS:GN/KIZ6xYLlIhGXHBgVueKx
          MD5:422D5CA3EDC5BA6E946720C8E1FD69F9
          SHA1:8009E5F7EF9CF4B43DE28D8A11048C195A887EE7
          SHA-256:4D78BB146725F4E19EC267E7DDDC6074F99561482693C6F0CF2C0C64A9EA76A1
          SHA-512:6B3B67C076EE5E61C1EC196D117FF564E7302256C20342750F8CAE761CDE76231B309AEF3A002FD9F0474BDA658DF80577A273EEF30387DE1C56013BD89100E7
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 24%
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;T..hT..hT..h@..iG..hT..h{..h...iU..h...iU..h...hU..h...iU..hRichT..h................PE..L.....n`...........!......................... ...............................`............@.........................0!..T...p".......@.......................P..p....!............................................... ...............................text............................... ..`.rdata..@.... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..p....P......................@..B................................................................................................................................................................................................................................................................................................................................................
          C:\Users\user\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dll
          Process:C:\Users\user\Desktop\nanocore.exe
          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):5120
          Entropy (8bit):4.188029460900488
          Encrypted:false
          SSDEEP:48:StRJBN/SHIPAK6v5PXha+HGLFHIPAROGa4zzBvoAXAdUMQ9BgqRuqS:GN/KIZ6xYLlIhGXHBgVueKx
          MD5:422D5CA3EDC5BA6E946720C8E1FD69F9
          SHA1:8009E5F7EF9CF4B43DE28D8A11048C195A887EE7
          SHA-256:4D78BB146725F4E19EC267E7DDDC6074F99561482693C6F0CF2C0C64A9EA76A1
          SHA-512:6B3B67C076EE5E61C1EC196D117FF564E7302256C20342750F8CAE761CDE76231B309AEF3A002FD9F0474BDA658DF80577A273EEF30387DE1C56013BD89100E7
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 24%
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;T..hT..hT..h@..iG..hT..h{..h...iU..h...iU..h...hU..h...iU..hRichT..h................PE..L.....n`...........!......................... ...............................`............@.........................0!..T...p".......@.......................P..p....!............................................... ...............................text............................... ..`.rdata..@.... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..p....P......................@..B................................................................................................................................................................................................................................................................................................................................................
          C:\Users\user\AppData\Local\Temp\nsq6D11.tmp\4rmzuajr4dtt.dll
          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):5120
          Entropy (8bit):4.188029460900488
          Encrypted:false
          SSDEEP:48:StRJBN/SHIPAK6v5PXha+HGLFHIPAROGa4zzBvoAXAdUMQ9BgqRuqS:GN/KIZ6xYLlIhGXHBgVueKx
          MD5:422D5CA3EDC5BA6E946720C8E1FD69F9
          SHA1:8009E5F7EF9CF4B43DE28D8A11048C195A887EE7
          SHA-256:4D78BB146725F4E19EC267E7DDDC6074F99561482693C6F0CF2C0C64A9EA76A1
          SHA-512:6B3B67C076EE5E61C1EC196D117FF564E7302256C20342750F8CAE761CDE76231B309AEF3A002FD9F0474BDA658DF80577A273EEF30387DE1C56013BD89100E7
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 24%
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;T..hT..hT..h@..iG..hT..h{..h...iU..h...iU..h...hU..h...iU..hRichT..h................PE..L.....n`...........!......................... ...............................`............@.........................0!..T...p".......@.......................P..p....!............................................... ...............................text............................... ..`.rdata..@.... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..p....P......................@..B................................................................................................................................................................................................................................................................................................................................................
          C:\Users\user\AppData\Local\Temp\tmp38C1.tmp
          Process:C:\Users\user\Desktop\nanocore.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):1298
          Entropy (8bit):5.088310480171837
          Encrypted:false
          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Y+xtn:cbk4oL600QydbQxIYODOLedq3yj
          MD5:E9CED5EE66F06173F8F3B092B79010DE
          SHA1:BC76BE5331F85F7578FD935962AC9B33CC2B4C84
          SHA-256:4660276EA7A477C5FFCA499897DED1F46699637D3BC1BEA135A81CDE2D65E597
          SHA-512:4358E09932D6C4C95A75DC5C9DE1EE7DA6ABE286C9D28C85034261EB1CA37432FAAAC2565CF8132314926B6EDD41DD508F1CC3212EA2D72C098C3219878963EB
          Malicious:true
          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
          C:\Users\user\AppData\Local\Temp\tmp3B81.tmp
          Process:C:\Users\user\Desktop\nanocore.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:modified
          Size (bytes):1310
          Entropy (8bit):5.109425792877704
          Encrypted:false
          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
          MD5:5C2F41CFC6F988C859DA7D727AC2B62A
          SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
          SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
          SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
          Malicious:false
          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
          Process:C:\Users\user\Desktop\nanocore.exe
          File Type:ISO-8859 text, with no line terminators
          Category:dropped
          Size (bytes):8
          Entropy (8bit):3.0
          Encrypted:false
          SSDEEP:3:rHn:rH
          MD5:6E43C715DA3279FF2D19AACEF5CFA286
          SHA1:0FEE17EEE58CC51B81398326AB1780256AFB4CC4
          SHA-256:17C98C9953D73CDD75CC7FBC761A9FFB005F6D9C941EE28E3453DBA820ED9257
          SHA-512:8E4C1688E2204B5EDD87F277D2211352AFD8CC9CE9F001ACFAEA6791528E5B165B8CA643074B872E2127370F84125860C4413381DBCFFAB0F77C13FF7DF31ECB
          Malicious:true
          Preview: .%+'...H
          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
          Process:C:\Users\user\Desktop\nanocore.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):35
          Entropy (8bit):3.807435516759526
          Encrypted:false
          SSDEEP:3:oNt+WfWLi4dAn:oNwvpAn
          MD5:D43FC6D6883371ADF56312C5835AA391
          SHA1:F520273107B3112B206695814B60A3B99C3AA771
          SHA-256:E311EE9579E921EEBC32D2777133129FF0D961E445A47AD10E01724A4BC40040
          SHA-512:B058B33D57B6340DA0FFEC04B5129C6B20F93C426C51D660B97A2067D9AAF27D7431A5E04FB1A1B078B3B006DF8BE6407E03DA2199090ECF7519267F3BE6649C
          Malicious:false
          Preview: C:\Users\user\Desktop\nanocore.exe

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
          Entropy (8bit):7.952258735347819
          TrID:
          • Win32 Executable (generic) a (10002005/4) 92.16%
          • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:nanocore.exe
          File size:321222
          MD5:08803cc817d8b1046a964af11685b15c
          SHA1:8d76cc9e4e21f90aaa0d2a8e9dd88ccb03349f29
          SHA256:00343ef156007c41a76abebe2b0304aacc7e2b12e0d30ea476ecf8c847a54dfc
          SHA512:bf548910be04b74d3a8bf8f058d642dac070d0cc94ca4eac04ebc4341967acfd65e5b64232be0345994b05a847c7501c122d6f70aeb1fe7121bc8f093028c2f3
          SSDEEP:6144:HdlwCtaK8BqoNWDCANNpFONOXopiTgRXWTZU3qC4XpO5BDiQ2KHeG:/xtaR0oQDCANPYNNpUDJX45BkEeG
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.H............,...........:...!........&......e.......Rich....................PE..L.....8E.................Z....9.....J1.....

          File Icon

          Icon Hash:b2a88c96b2ca6a72

          Static PE Info

          General

          Entrypoint:0x40314a
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          DLL Characteristics:
          Time Stamp:0x4538CD0B [Fri Oct 20 13:20:11 2006 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:18bc6fa81e19f21156316b1ae696ed6b

          Entrypoint Preview

          Instruction
          sub esp, 0000017Ch
          push ebx
          push ebp
          push esi
          xor esi, esi
          push edi
          mov dword ptr [esp+18h], esi
          mov ebp, 00409240h
          mov byte ptr [esp+10h], 00000020h
          call dword ptr [00407030h]
          push esi
          call dword ptr [00407270h]
          mov dword ptr [007A3030h], eax
          push esi
          lea eax, dword ptr [esp+30h]
          push 00000160h
          push eax
          push esi
          push 0079E540h
          call dword ptr [00407158h]
          push 00409230h
          push 007A2780h
          call 00007F08B8C3BAE8h
          mov ebx, 007AA400h
          push ebx
          push 00000400h
          call dword ptr [004070B4h]
          call 00007F08B8C39229h
          test eax, eax
          jne 00007F08B8C392E6h
          push 000003FBh
          push ebx
          call dword ptr [004070B0h]
          push 00409228h
          push ebx
          call 00007F08B8C3BAD3h
          call 00007F08B8C39209h
          test eax, eax
          je 00007F08B8C39402h
          mov edi, 007A9000h
          push edi
          call dword ptr [00407140h]
          call dword ptr [004070ACh]
          push eax
          push edi
          call 00007F08B8C3BA91h
          push 00000000h
          call dword ptr [00407108h]
          cmp byte ptr [007A9000h], 00000022h
          mov dword ptr [007A2F80h], eax
          mov eax, edi
          jne 00007F08B8C392CCh
          mov byte ptr [esp+10h], 00000022h
          mov eax, 00000001h

          Rich Headers

          Programming Language:
          • [EXP] VC++ 6.0 SP5 build 8804

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0x73440xb4.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x3ac0000x900.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x70000x280.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x59de0x5a00False0.681293402778data6.5143386598IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          .rdata0x70000x10f20x1200False0.430338541667data5.0554281206IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0x90000x39a0340x400unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
          .ndata0x3a40000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .rsrc0x3ac0000x9000xa00False0.409375data3.94574916515IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountry
          RT_ICON0x3ac1900x2e8dataEnglishUnited States
          RT_DIALOG0x3ac4780x100dataEnglishUnited States
          RT_DIALOG0x3ac5780x11cdataEnglishUnited States
          RT_DIALOG0x3ac6980x60dataEnglishUnited States
          RT_GROUP_ICON0x3ac6f80x14dataEnglishUnited States
          RT_MANIFEST0x3ac7100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

          Imports

          DLLImport
          KERNEL32.dllCloseHandle, SetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, lstrcmpiA, ExitProcess, GetCommandLineA, GetWindowsDirectoryA, GetTempPathA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpA, GetEnvironmentVariableA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, CopyFileA
          USER32.dllScreenToClient, GetWindowRect, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, TrackPopupMenu, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
          GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
          SHELL32.dllSHGetMalloc, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
          ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
          COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
          ole32.dllOleInitialize, OleUninitialize, CoCreateInstance
          VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishUnited States

          Network Behavior

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Apr 9, 2021 01:08:02.280957937 CEST497407688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:02.303638935 CEST768849740213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:02.811045885 CEST497407688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:02.834539890 CEST768849740213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:03.342253923 CEST497407688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:03.365015030 CEST768849740213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:07.644037962 CEST497467688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:07.667594910 CEST768849746213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:08.186372995 CEST497467688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:08.209548950 CEST768849746213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:08.717704058 CEST497467688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:08.740946054 CEST768849746213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:12.804413080 CEST497477688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:12.829931021 CEST768849747213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:13.343116999 CEST497477688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:13.366044044 CEST768849747213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:13.874443054 CEST497477688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:13.897789955 CEST768849747213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:17.966085911 CEST497507688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:17.989341021 CEST768849750213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:18.499778986 CEST497507688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:18.522970915 CEST768849750213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:19.077910900 CEST497507688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:19.100735903 CEST768849750213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:23.326785088 CEST497527688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:23.350080967 CEST768849752213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:23.984529018 CEST497527688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:24.007906914 CEST768849752213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:24.672143936 CEST497527688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:24.695725918 CEST768849752213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:28.920422077 CEST497537688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:28.944849014 CEST768849753213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:29.453850985 CEST497537688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:29.476957083 CEST768849753213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:29.985090971 CEST497537688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:30.008549929 CEST768849753213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:34.066354990 CEST497547688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:34.090085983 CEST768849754213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:34.594835997 CEST497547688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:34.618825912 CEST768849754213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:35.126112938 CEST497547688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:35.149136066 CEST768849754213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:39.199570894 CEST497597688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:39.222735882 CEST768849759213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:39.735841036 CEST497597688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:39.761449099 CEST768849759213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:40.267229080 CEST497597688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:40.291462898 CEST768849759213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:44.334249973 CEST497677688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:44.357805967 CEST768849767213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:44.861443043 CEST497677688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:44.884512901 CEST768849767213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:45.392525911 CEST497677688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:45.415189028 CEST768849767213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:49.506330013 CEST497687688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:49.529818058 CEST768849768213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:50.033529043 CEST497687688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:50.057566881 CEST768849768213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:50.564888954 CEST497687688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:50.588016033 CEST768849768213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:54.667339087 CEST497697688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:54.690824032 CEST768849769213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:55.206002951 CEST497697688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:55.229613066 CEST768849769213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:55.737279892 CEST497697688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:55.759967089 CEST768849769213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:59.863363981 CEST497707688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:59.887548923 CEST768849770213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:00.393878937 CEST497707688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:00.417368889 CEST768849770213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:00.925184965 CEST497707688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:00.952183962 CEST768849770213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:05.483297110 CEST497717688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:05.506546021 CEST768849771213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:06.019205093 CEST497717688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:06.042946100 CEST768849771213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:06.550513029 CEST497717688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:06.573656082 CEST768849771213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:10.629232883 CEST497727688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:10.652252913 CEST768849772213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:11.160331964 CEST497727688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:11.186142921 CEST768849772213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:11.691643953 CEST497727688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:11.714682102 CEST768849772213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:15.971256018 CEST497737688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:15.994257927 CEST768849773213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:16.504492998 CEST497737688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:16.528068066 CEST768849773213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:17.035680056 CEST497737688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:17.061697006 CEST768849773213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:21.116499901 CEST497747688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:21.140182972 CEST768849774213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:21.645622969 CEST497747688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:21.668996096 CEST768849774213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:22.176837921 CEST497747688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:22.199614048 CEST768849774213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:26.495048046 CEST497777688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:26.520327091 CEST768849777213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:27.020973921 CEST497777688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:27.043709040 CEST768849777213.208.152.210192.168.2.4

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Apr 9, 2021 01:07:48.308937073 CEST6464653192.168.2.48.8.8.8
          Apr 9, 2021 01:07:48.322262049 CEST53646468.8.8.8192.168.2.4
          Apr 9, 2021 01:07:48.703804016 CEST6529853192.168.2.48.8.8.8
          Apr 9, 2021 01:07:48.735263109 CEST53652988.8.8.8192.168.2.4
          Apr 9, 2021 01:07:49.046216011 CEST5912353192.168.2.48.8.8.8
          Apr 9, 2021 01:07:49.058747053 CEST53591238.8.8.8192.168.2.4
          Apr 9, 2021 01:07:49.125768900 CEST5453153192.168.2.48.8.8.8
          Apr 9, 2021 01:07:49.147308111 CEST53545318.8.8.8192.168.2.4
          Apr 9, 2021 01:07:49.767405987 CEST4971453192.168.2.48.8.8.8
          Apr 9, 2021 01:07:49.780075073 CEST53497148.8.8.8192.168.2.4
          Apr 9, 2021 01:07:50.543967009 CEST5802853192.168.2.48.8.8.8
          Apr 9, 2021 01:07:50.564155102 CEST53580288.8.8.8192.168.2.4
          Apr 9, 2021 01:07:51.460773945 CEST5309753192.168.2.48.8.8.8
          Apr 9, 2021 01:07:51.473685026 CEST53530978.8.8.8192.168.2.4
          Apr 9, 2021 01:07:52.154879093 CEST4925753192.168.2.48.8.8.8
          Apr 9, 2021 01:07:52.167908907 CEST53492578.8.8.8192.168.2.4
          Apr 9, 2021 01:07:52.906627893 CEST6238953192.168.2.48.8.8.8
          Apr 9, 2021 01:07:52.919509888 CEST53623898.8.8.8192.168.2.4
          Apr 9, 2021 01:07:53.756854057 CEST4991053192.168.2.48.8.8.8
          Apr 9, 2021 01:07:53.770009041 CEST53499108.8.8.8192.168.2.4
          Apr 9, 2021 01:07:55.434540987 CEST5585453192.168.2.48.8.8.8
          Apr 9, 2021 01:07:55.446664095 CEST53558548.8.8.8192.168.2.4
          Apr 9, 2021 01:07:56.471210957 CEST6454953192.168.2.48.8.8.8
          Apr 9, 2021 01:07:56.483896971 CEST53645498.8.8.8192.168.2.4
          Apr 9, 2021 01:07:57.667022943 CEST6315353192.168.2.48.8.8.8
          Apr 9, 2021 01:07:57.681679010 CEST53631538.8.8.8192.168.2.4
          Apr 9, 2021 01:07:59.537436962 CEST5299153192.168.2.48.8.8.8
          Apr 9, 2021 01:07:59.550411940 CEST53529918.8.8.8192.168.2.4
          Apr 9, 2021 01:08:00.450153112 CEST5370053192.168.2.48.8.8.8
          Apr 9, 2021 01:08:00.463025093 CEST53537008.8.8.8192.168.2.4
          Apr 9, 2021 01:08:01.468883991 CEST5172653192.168.2.48.8.8.8
          Apr 9, 2021 01:08:01.481945992 CEST53517268.8.8.8192.168.2.4
          Apr 9, 2021 01:08:02.088749886 CEST5679453192.168.2.48.8.8.8
          Apr 9, 2021 01:08:02.262785912 CEST5653453192.168.2.48.8.8.8
          Apr 9, 2021 01:08:02.270627022 CEST53567948.8.8.8192.168.2.4
          Apr 9, 2021 01:08:02.277312040 CEST53565348.8.8.8192.168.2.4
          Apr 9, 2021 01:08:03.587178946 CEST5662753192.168.2.48.8.8.8
          Apr 9, 2021 01:08:03.600624084 CEST53566278.8.8.8192.168.2.4
          Apr 9, 2021 01:08:04.384593964 CEST5662153192.168.2.48.8.8.8
          Apr 9, 2021 01:08:04.397150040 CEST53566218.8.8.8192.168.2.4
          Apr 9, 2021 01:08:05.193519115 CEST6311653192.168.2.48.8.8.8
          Apr 9, 2021 01:08:05.205976963 CEST53631168.8.8.8192.168.2.4
          Apr 9, 2021 01:08:06.646678925 CEST6407853192.168.2.48.8.8.8
          Apr 9, 2021 01:08:06.660923958 CEST53640788.8.8.8192.168.2.4
          Apr 9, 2021 01:08:07.447942972 CEST6480153192.168.2.48.8.8.8
          Apr 9, 2021 01:08:07.633944988 CEST53648018.8.8.8192.168.2.4
          Apr 9, 2021 01:08:12.788408995 CEST6172153192.168.2.48.8.8.8
          Apr 9, 2021 01:08:12.802980900 CEST53617218.8.8.8192.168.2.4
          Apr 9, 2021 01:08:16.958344936 CEST5125553192.168.2.48.8.8.8
          Apr 9, 2021 01:08:16.971411943 CEST53512558.8.8.8192.168.2.4
          Apr 9, 2021 01:08:17.934674978 CEST6152253192.168.2.48.8.8.8
          Apr 9, 2021 01:08:17.947594881 CEST53615228.8.8.8192.168.2.4
          Apr 9, 2021 01:08:22.457528114 CEST5233753192.168.2.48.8.8.8
          Apr 9, 2021 01:08:22.475927114 CEST53523378.8.8.8192.168.2.4
          Apr 9, 2021 01:08:23.145405054 CEST5504653192.168.2.48.8.8.8
          Apr 9, 2021 01:08:23.325608969 CEST53550468.8.8.8192.168.2.4
          Apr 9, 2021 01:08:28.906090975 CEST4961253192.168.2.48.8.8.8
          Apr 9, 2021 01:08:28.918818951 CEST53496128.8.8.8192.168.2.4
          Apr 9, 2021 01:08:34.050785065 CEST4928553192.168.2.48.8.8.8
          Apr 9, 2021 01:08:34.064754963 CEST53492858.8.8.8192.168.2.4
          Apr 9, 2021 01:08:37.794886112 CEST5060153192.168.2.48.8.8.8
          Apr 9, 2021 01:08:37.885232925 CEST53506018.8.8.8192.168.2.4
          Apr 9, 2021 01:08:38.373080015 CEST6087553192.168.2.48.8.8.8
          Apr 9, 2021 01:08:38.449672937 CEST53608758.8.8.8192.168.2.4
          Apr 9, 2021 01:08:38.889656067 CEST5644853192.168.2.48.8.8.8
          Apr 9, 2021 01:08:38.904063940 CEST53564488.8.8.8192.168.2.4
          Apr 9, 2021 01:08:39.167108059 CEST5917253192.168.2.48.8.8.8
          Apr 9, 2021 01:08:39.185307980 CEST6242053192.168.2.48.8.8.8
          Apr 9, 2021 01:08:39.193701029 CEST53591728.8.8.8192.168.2.4
          Apr 9, 2021 01:08:39.198570967 CEST53624208.8.8.8192.168.2.4
          Apr 9, 2021 01:08:39.252386093 CEST6057953192.168.2.48.8.8.8
          Apr 9, 2021 01:08:39.358108997 CEST53605798.8.8.8192.168.2.4
          Apr 9, 2021 01:08:39.769283056 CEST5018353192.168.2.48.8.8.8
          Apr 9, 2021 01:08:39.782944918 CEST53501838.8.8.8192.168.2.4
          Apr 9, 2021 01:08:40.212387085 CEST6153153192.168.2.48.8.8.8
          Apr 9, 2021 01:08:40.226979017 CEST53615318.8.8.8192.168.2.4
          Apr 9, 2021 01:08:40.567267895 CEST4922853192.168.2.48.8.8.8
          Apr 9, 2021 01:08:40.584165096 CEST53492288.8.8.8192.168.2.4
          Apr 9, 2021 01:08:41.188708067 CEST5979453192.168.2.48.8.8.8
          Apr 9, 2021 01:08:41.201442957 CEST53597948.8.8.8192.168.2.4
          Apr 9, 2021 01:08:41.898530960 CEST5591653192.168.2.48.8.8.8
          Apr 9, 2021 01:08:41.913628101 CEST53559168.8.8.8192.168.2.4
          Apr 9, 2021 01:08:42.309269905 CEST5275253192.168.2.48.8.8.8
          Apr 9, 2021 01:08:42.322654009 CEST53527528.8.8.8192.168.2.4
          Apr 9, 2021 01:08:44.320179939 CEST6054253192.168.2.48.8.8.8
          Apr 9, 2021 01:08:44.333240032 CEST53605428.8.8.8192.168.2.4
          Apr 9, 2021 01:08:49.492639065 CEST6068953192.168.2.48.8.8.8
          Apr 9, 2021 01:08:49.505250931 CEST53606898.8.8.8192.168.2.4
          Apr 9, 2021 01:08:54.652204037 CEST6420653192.168.2.48.8.8.8
          Apr 9, 2021 01:08:54.665515900 CEST53642068.8.8.8192.168.2.4
          Apr 9, 2021 01:08:59.848192930 CEST5090453192.168.2.48.8.8.8
          Apr 9, 2021 01:08:59.861691952 CEST53509048.8.8.8192.168.2.4
          Apr 9, 2021 01:09:05.433816910 CEST5752553192.168.2.48.8.8.8
          Apr 9, 2021 01:09:05.449538946 CEST53575258.8.8.8192.168.2.4
          Apr 9, 2021 01:09:10.603766918 CEST5381453192.168.2.48.8.8.8
          Apr 9, 2021 01:09:10.616873980 CEST53538148.8.8.8192.168.2.4
          Apr 9, 2021 01:09:15.773886919 CEST5341853192.168.2.48.8.8.8
          Apr 9, 2021 01:09:15.968554020 CEST53534188.8.8.8192.168.2.4
          Apr 9, 2021 01:09:21.101937056 CEST6283353192.168.2.48.8.8.8
          Apr 9, 2021 01:09:21.115186930 CEST53628338.8.8.8192.168.2.4
          Apr 9, 2021 01:09:23.917705059 CEST5926053192.168.2.48.8.8.8
          Apr 9, 2021 01:09:23.930465937 CEST53592608.8.8.8192.168.2.4
          Apr 9, 2021 01:09:26.312844038 CEST4994453192.168.2.48.8.8.8
          Apr 9, 2021 01:09:26.494016886 CEST53499448.8.8.8192.168.2.4
          Apr 9, 2021 01:09:26.608517885 CEST6330053192.168.2.48.8.8.8
          Apr 9, 2021 01:09:26.622071981 CEST53633008.8.8.8192.168.2.4
          Apr 9, 2021 01:09:31.624968052 CEST6144953192.168.2.48.8.8.8
          Apr 9, 2021 01:09:31.638266087 CEST53614498.8.8.8192.168.2.4
          Apr 9, 2021 01:09:36.777276993 CEST5127553192.168.2.48.8.8.8
          Apr 9, 2021 01:09:36.790810108 CEST53512758.8.8.8192.168.2.4
          Apr 9, 2021 01:09:42.026740074 CEST6349253192.168.2.48.8.8.8
          Apr 9, 2021 01:09:42.040246010 CEST53634928.8.8.8192.168.2.4
          Apr 9, 2021 01:09:47.194799900 CEST5894553192.168.2.48.8.8.8
          Apr 9, 2021 01:09:47.376025915 CEST53589458.8.8.8192.168.2.4
          Apr 9, 2021 01:09:52.566468000 CEST6077953192.168.2.48.8.8.8
          Apr 9, 2021 01:09:52.581572056 CEST53607798.8.8.8192.168.2.4
          Apr 9, 2021 01:09:57.700588942 CEST6401453192.168.2.48.8.8.8
          Apr 9, 2021 01:09:57.713606119 CEST53640148.8.8.8192.168.2.4
          Apr 9, 2021 01:09:57.835365057 CEST5709153192.168.2.48.8.8.8
          Apr 9, 2021 01:09:57.847999096 CEST53570918.8.8.8192.168.2.4
          Apr 9, 2021 01:10:02.821433067 CEST5590453192.168.2.48.8.8.8
          Apr 9, 2021 01:10:02.834716082 CEST53559048.8.8.8192.168.2.4

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
          Apr 9, 2021 01:08:02.088749886 CEST192.168.2.48.8.8.80x5006Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:08:07.447942972 CEST192.168.2.48.8.8.80x5666Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:08:12.788408995 CEST192.168.2.48.8.8.80x54e2Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:08:17.934674978 CEST192.168.2.48.8.8.80xca88Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:08:23.145405054 CEST192.168.2.48.8.8.80xa922Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:08:28.906090975 CEST192.168.2.48.8.8.80x556cStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:08:34.050785065 CEST192.168.2.48.8.8.80x5972Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:08:39.185307980 CEST192.168.2.48.8.8.80x9ea3Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:08:44.320179939 CEST192.168.2.48.8.8.80x5c7aStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:08:49.492639065 CEST192.168.2.48.8.8.80x5d10Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:08:54.652204037 CEST192.168.2.48.8.8.80x719dStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:08:59.848192930 CEST192.168.2.48.8.8.80x5d95Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:09:05.433816910 CEST192.168.2.48.8.8.80xd355Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:09:10.603766918 CEST192.168.2.48.8.8.80x6528Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:09:15.773886919 CEST192.168.2.48.8.8.80xb0e7Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:09:21.101937056 CEST192.168.2.48.8.8.80x711bStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:09:26.312844038 CEST192.168.2.48.8.8.80x6f6eStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:09:31.624968052 CEST192.168.2.48.8.8.80x84a2Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:09:36.777276993 CEST192.168.2.48.8.8.80x2cacStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:09:42.026740074 CEST192.168.2.48.8.8.80xae6aStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:09:47.194799900 CEST192.168.2.48.8.8.80x5a3cStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:09:52.566468000 CEST192.168.2.48.8.8.80x90a0Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:09:57.700588942 CEST192.168.2.48.8.8.80x219bStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:10:02.821433067 CEST192.168.2.48.8.8.80x2c4bStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
          Apr 9, 2021 01:08:02.270627022 CEST8.8.8.8192.168.2.40x5006No error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:08:07.633944988 CEST8.8.8.8192.168.2.40x5666No error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:08:12.802980900 CEST8.8.8.8192.168.2.40x54e2No error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:08:17.947594881 CEST8.8.8.8192.168.2.40xca88No error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:08:23.325608969 CEST8.8.8.8192.168.2.40xa922No error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:08:28.918818951 CEST8.8.8.8192.168.2.40x556cNo error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:08:34.064754963 CEST8.8.8.8192.168.2.40x5972No error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:08:39.198570967 CEST8.8.8.8192.168.2.40x9ea3No error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:08:44.333240032 CEST8.8.8.8192.168.2.40x5c7aNo error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:08:49.505250931 CEST8.8.8.8192.168.2.40x5d10No error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:08:54.665515900 CEST8.8.8.8192.168.2.40x719dNo error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:08:59.861691952 CEST8.8.8.8192.168.2.40x5d95No error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:09:05.449538946 CEST8.8.8.8192.168.2.40xd355No error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:09:10.616873980 CEST8.8.8.8192.168.2.40x6528No error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:09:15.968554020 CEST8.8.8.8192.168.2.40xb0e7No error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:09:21.115186930 CEST8.8.8.8192.168.2.40x711bNo error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:09:26.494016886 CEST8.8.8.8192.168.2.40x6f6eNo error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:09:31.638266087 CEST8.8.8.8192.168.2.40x84a2No error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:09:36.790810108 CEST8.8.8.8192.168.2.40x2cacNo error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:09:42.040246010 CEST8.8.8.8192.168.2.40xae6aNo error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:09:47.376025915 CEST8.8.8.8192.168.2.40x5a3cNo error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:09:52.581572056 CEST8.8.8.8192.168.2.40x90a0No error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:09:57.713606119 CEST8.8.8.8192.168.2.40x219bNo error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:10:02.834716082 CEST8.8.8.8192.168.2.40x2c4bNo error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)

          Code Manipulations

          Statistics

          Behavior

          Click to jump to process

          System Behavior

          Analysis Process: nanocore.exe PID: 7064 Parent PID: 5956

          General

          Start time:01:07:54
          Start date:09/04/2021
          Path:C:\Users\user\Desktop\nanocore.exe
          Wow64 process (32bit):true
          Commandline:'C:\Users\user\Desktop\nanocore.exe'
          Imagebase:0x400000
          File size:321222 bytes
          MD5 hash:08803CC817D8B1046A964AF11685B15C
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          Reputation:low

          Analysis Process: nanocore.exe PID: 7104 Parent PID: 7064

          General

          Start time:01:07:55
          Start date:09/04/2021
          Path:C:\Users\user\Desktop\nanocore.exe
          Wow64 process (32bit):true
          Commandline:'C:\Users\user\Desktop\nanocore.exe'
          Imagebase:0x400000
          File size:321222 bytes
          MD5 hash:08803CC817D8B1046A964AF11685B15C
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.909694649.00000000058B0000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.909694649.00000000058B0000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.909694649.00000000058B0000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.907930500.0000000004A92000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.907930500.0000000004A92000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.907930500.0000000004A92000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.905801654.0000000002531000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.904977643.0000000000598000.00000004.00000020.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.904977643.0000000000598000.00000004.00000020.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.904977643.0000000000598000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.909667904.0000000005820000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.909667904.0000000005820000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000001.645917465.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000001.645917465.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000002.00000001.645917465.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.907047589.0000000004970000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.907047589.0000000004970000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.907047589.0000000004970000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.907047589.0000000004970000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.906581049.00000000035AC000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.906581049.00000000035AC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          Reputation:low

          Analysis Process: schtasks.exe PID: 5800 Parent PID: 7104

          General

          Start time:01:07:59
          Start date:09/04/2021
          Path:C:\Windows\SysWOW64\schtasks.exe
          Wow64 process (32bit):true
          Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp38C1.tmp'
          Imagebase:0x1110000
          File size:185856 bytes
          MD5 hash:15FF7D8324231381BAD48A052F85DF04
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Analysis Process: conhost.exe PID: 5820 Parent PID: 5800

          General

          Start time:01:08:00
          Start date:09/04/2021
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff724c50000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Analysis Process: schtasks.exe PID: 5108 Parent PID: 7104

          General

          Start time:01:08:00
          Start date:09/04/2021
          Path:C:\Windows\SysWOW64\schtasks.exe
          Wow64 process (32bit):true
          Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3B81.tmp'
          Imagebase:0x1110000
          File size:185856 bytes
          MD5 hash:15FF7D8324231381BAD48A052F85DF04
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Analysis Process: conhost.exe PID: 4476 Parent PID: 5108

          General

          Start time:01:08:00
          Start date:09/04/2021
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff724c50000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Analysis Process: nanocore.exe PID: 4108 Parent PID: 968

          General

          Start time:01:08:01
          Start date:09/04/2021
          Path:C:\Users\user\Desktop\nanocore.exe
          Wow64 process (32bit):true
          Commandline:C:\Users\user\Desktop\nanocore.exe 0
          Imagebase:0x400000
          File size:321222 bytes
          MD5 hash:08803CC817D8B1046A964AF11685B15C
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.669624228.000000001EEC0000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.669624228.000000001EEC0000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.669624228.000000001EEC0000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.669624228.000000001EEC0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          Reputation:low

          Analysis Process: dhcpmon.exe PID: 5752 Parent PID: 968

          General

          Start time:01:08:02
          Start date:09/04/2021
          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Wow64 process (32bit):true
          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
          Imagebase:0x400000
          File size:321222 bytes
          MD5 hash:08803CC817D8B1046A964AF11685B15C
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.671860077.000000001ED70000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.671860077.000000001ED70000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.671860077.000000001ED70000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.671860077.000000001ED70000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          Antivirus matches:
          • Detection: 34%, ReversingLabs
          Reputation:low

          Analysis Process: nanocore.exe PID: 5904 Parent PID: 4108

          General

          Start time:01:08:02
          Start date:09/04/2021
          Path:C:\Users\user\Desktop\nanocore.exe
          Wow64 process (32bit):true
          Commandline:C:\Users\user\Desktop\nanocore.exe 0
          Imagebase:0x400000
          File size:321222 bytes
          MD5 hash:08803CC817D8B1046A964AF11685B15C
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.683529518.0000000000679000.00000004.00000020.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.683529518.0000000000679000.00000004.00000020.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.683529518.0000000000679000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000001.662848703.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000001.662848703.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000001.662848703.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.684361480.0000000002510000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.684499268.00000000034FC000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.684499268.00000000034FC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.682558622.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.682558622.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.682558622.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.682558622.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.685817351.0000000004940000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.685817351.0000000004940000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.685817351.0000000004940000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.685817351.0000000004940000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.684426343.00000000034C1000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.684426343.00000000034C1000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.684426343.00000000034C1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.686102213.00000000049C2000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.686102213.00000000049C2000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.686102213.00000000049C2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          Reputation:low

          Analysis Process: dhcpmon.exe PID: 6152 Parent PID: 5752

          General

          Start time:01:08:03
          Start date:09/04/2021
          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Wow64 process (32bit):true
          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
          Imagebase:0x400000
          File size:321222 bytes
          MD5 hash:08803CC817D8B1046A964AF11685B15C
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.684555433.0000000002320000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.683969306.00000000006FC000.00000004.00000020.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.683969306.00000000006FC000.00000004.00000020.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.683969306.00000000006FC000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.683128059.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.683128059.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.683128059.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.683128059.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.686692380.0000000004922000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.686692380.0000000004922000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.686692380.0000000004922000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.684652674.000000000330C000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.684652674.000000000330C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.686247080.00000000047F0000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.686247080.00000000047F0000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.686247080.00000000047F0000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.686247080.00000000047F0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000001.663544913.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000001.663544913.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000001.663544913.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.684614120.00000000032D1000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.684614120.00000000032D1000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.684614120.00000000032D1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          Reputation:low

          Analysis Process: dhcpmon.exe PID: 6724 Parent PID: 3424

          General

          Start time:01:08:12
          Start date:09/04/2021
          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Wow64 process (32bit):true
          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
          Imagebase:0x400000
          File size:321222 bytes
          MD5 hash:08803CC817D8B1046A964AF11685B15C
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.691295579.000000001ED80000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.691295579.000000001ED80000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.691295579.000000001ED80000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.691295579.000000001ED80000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          Reputation:low

          Analysis Process: dhcpmon.exe PID: 6704 Parent PID: 6724

          General

          Start time:01:08:13
          Start date:09/04/2021
          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Wow64 process (32bit):true
          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
          Imagebase:0x400000
          File size:321222 bytes
          MD5 hash:08803CC817D8B1046A964AF11685B15C
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000001.685346299.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000001.685346299.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000D.00000001.685346299.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.703714772.00000000033F1000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.703714772.00000000033F1000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.703714772.00000000033F1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.704559063.0000000004FA2000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.704559063.0000000004FA2000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.704559063.0000000004FA2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.703774283.000000000342C000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.703774283.000000000342C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.702826612.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.702826612.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.702826612.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.702826612.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.703677926.0000000002440000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.703409413.00000000006E7000.00000004.00000020.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.703409413.00000000006E7000.00000004.00000020.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.703409413.00000000006E7000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.704356267.0000000004910000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.704356267.0000000004910000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.704356267.0000000004910000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.704356267.0000000004910000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000003.685637337.0000000000711000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000003.685637337.0000000000711000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000D.00000003.685637337.0000000000711000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          Reputation:low

          Disassembly

          Code Analysis

          Reset < >