Play interactive tour

Edit tour

Analysis Report FKL.exe

Overview

General Information

Sample Name:	FKL.exe
Analysis ID:	412287
MD5:	5ec0dae4627e5c2bfedb9eec381df4c9
SHA1:	bc1961f41857da071ae28d44060b2ffe5644c715
SHA256:	d08baa103db6d39e3d3ec218fef3b9b368e1cee78c25c0abc0cb551d1ff28b36
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Nanocore RAT

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

Machine Learning detection for sample

Binary contains a suspicious time stamp

Contains capabilities to detect virtual machines

Creates a process in suspended mode (likely to inject code)

Enables debug privileges

PE / OLE file has an invalid certificate

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Yara signature match

Classification

Startup

System is w10x64

FKL.exe (PID: 964 cmdline: 'C:\Users\user\Desktop\FKL.exe' MD5: 5EC0DAE4627E5C2BFEDB9EEC381DF4C9)

cmd.exe (PID: 6008 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 5876 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

FKL.exe (PID: 5860 cmdline: C:\Users\user\Desktop\FKL.exe MD5: 5EC0DAE4627E5C2BFEDB9EEC381DF4C9)

FKL.exe (PID: 2968 cmdline: C:\Users\user\Desktop\FKL.exe MD5: 5EC0DAE4627E5C2BFEDB9EEC381DF4C9)

FKL.exe (PID: 4752 cmdline: C:\Users\user\Desktop\FKL.exe MD5: 5EC0DAE4627E5C2BFEDB9EEC381DF4C9)

FKL.exe (PID: 204 cmdline: C:\Users\user\Desktop\FKL.exe MD5: 5EC0DAE4627E5C2BFEDB9EEC381DF4C9)

FKL.exe (PID: 960 cmdline: C:\Users\user\Desktop\FKL.exe MD5: 5EC0DAE4627E5C2BFEDB9EEC381DF4C9)

FKL.exe (PID: 1396 cmdline: C:\Users\user\Desktop\FKL.exe MD5: 5EC0DAE4627E5C2BFEDB9EEC381DF4C9)

FKL.exe (PID: 3092 cmdline: C:\Users\user\Desktop\FKL.exe MD5: 5EC0DAE4627E5C2BFEDB9EEC381DF4C9)

FKL.exe (PID: 3596 cmdline: C:\Users\user\Desktop\FKL.exe MD5: 5EC0DAE4627E5C2BFEDB9EEC381DF4C9)

FKL.exe (PID: 2884 cmdline: C:\Users\user\Desktop\FKL.exe MD5: 5EC0DAE4627E5C2BFEDB9EEC381DF4C9)

FKL.exe (PID: 5040 cmdline: C:\Users\user\Desktop\FKL.exe MD5: 5EC0DAE4627E5C2BFEDB9EEC381DF4C9)

FKL.exe (PID: 2544 cmdline: C:\Users\user\Desktop\FKL.exe MD5: 5EC0DAE4627E5C2BFEDB9EEC381DF4C9)

FKL.exe (PID: 6084 cmdline: C:\Users\user\Desktop\FKL.exe MD5: 5EC0DAE4627E5C2BFEDB9EEC381DF4C9)

FKL.exe (PID: 5540 cmdline: C:\Users\user\Desktop\FKL.exe MD5: 5EC0DAE4627E5C2BFEDB9EEC381DF4C9)

FKL.exe (PID: 5676 cmdline: C:\Users\user\Desktop\FKL.exe MD5: 5EC0DAE4627E5C2BFEDB9EEC381DF4C9)

FKL.exe (PID: 5568 cmdline: C:\Users\user\Desktop\FKL.exe MD5: 5EC0DAE4627E5C2BFEDB9EEC381DF4C9)

FKL.exe (PID: 2268 cmdline: C:\Users\user\Desktop\FKL.exe MD5: 5EC0DAE4627E5C2BFEDB9EEC381DF4C9)

FKL.exe (PID: 1412 cmdline: C:\Users\user\Desktop\FKL.exe MD5: 5EC0DAE4627E5C2BFEDB9EEC381DF4C9)

FKL.exe (PID: 1268 cmdline: C:\Users\user\Desktop\FKL.exe MD5: 5EC0DAE4627E5C2BFEDB9EEC381DF4C9)

FKL.exe (PID: 1100 cmdline: C:\Users\user\Desktop\FKL.exe MD5: 5EC0DAE4627E5C2BFEDB9EEC381DF4C9)

FKL.exe (PID: 2196 cmdline: C:\Users\user\Desktop\FKL.exe MD5: 5EC0DAE4627E5C2BFEDB9EEC381DF4C9)

FKL.exe (PID: 5836 cmdline: C:\Users\user\Desktop\FKL.exe MD5: 5EC0DAE4627E5C2BFEDB9EEC381DF4C9)

FKL.exe (PID: 1280 cmdline: C:\Users\user\Desktop\FKL.exe MD5: 5EC0DAE4627E5C2BFEDB9EEC381DF4C9)

FKL.exe (PID: 1276 cmdline: C:\Users\user\Desktop\FKL.exe MD5: 5EC0DAE4627E5C2BFEDB9EEC381DF4C9)

FKL.exe (PID: 1236 cmdline: C:\Users\user\Desktop\FKL.exe MD5: 5EC0DAE4627E5C2BFEDB9EEC381DF4C9)

FKL.exe (PID: 5020 cmdline: C:\Users\user\Desktop\FKL.exe MD5: 5EC0DAE4627E5C2BFEDB9EEC381DF4C9)

FKL.exe (PID: 3584 cmdline: C:\Users\user\Desktop\FKL.exe MD5: 5EC0DAE4627E5C2BFEDB9EEC381DF4C9)

FKL.exe (PID: 5988 cmdline: C:\Users\user\Desktop\FKL.exe MD5: 5EC0DAE4627E5C2BFEDB9EEC381DF4C9)

FKL.exe (PID: 6116 cmdline: C:\Users\user\Desktop\FKL.exe MD5: 5EC0DAE4627E5C2BFEDB9EEC381DF4C9)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "d42469ca-5662-45f6-9b4c-2ecfba7e", "Group": "Default", "Domain1": "", "Domain2": "hdgavzxcniopkjhsvcbnxmnzvqaswyiokdseacbu.ydns.eu", "Port": 1772, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000001C.00000002.311600679.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001C.00000002.311600679.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001C.00000002.311600679.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000026.00000002.339595106.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000026.00000002.339595106.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000026.00000002.339595106.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000B.00000002.279746517.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000002.279746517.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.279746517.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000001F.00000002.320115217.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001F.00000002.320115217.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001F.00000002.320115217.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000F.00000002.284872015.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000F.00000002.284872015.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000F.00000002.284872015.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000001A.00000002.303777475.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001A.00000002.303777475.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001A.00000002.303777475.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000022.00000002.328008188.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000022.00000002.328008188.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000022.00000002.328008188.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000020.00000002.322465865.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000020.00000002.322465865.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000020.00000002.322465865.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000008.00000002.270944975.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000002.270944975.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000002.270944975.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000007.00000002.265424770.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000002.265424770.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.265424770.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000005.00000002.260196506.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000002.260196506.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.260196506.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000001B.00000002.309408324.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001B.00000002.309408324.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001B.00000002.309408324.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000001D.00000002.314015376.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001D.00000002.314015376.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001D.00000002.314015376.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000D.00000002.282305726.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000D.00000002.282305726.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.282305726.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000025.00000002.335683538.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000025.00000002.335683538.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000025.00000002.335683538.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000009.00000002.274217304.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000009.00000002.274217304.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000009.00000002.274217304.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000027.00000002.342982982.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000027.00000002.342982982.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000027.00000002.342982982.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000024.00000002.332921030.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000024.00000002.332921030.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000024.00000002.332921030.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000023.00000002.330463227.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000023.00000002.330463227.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000023.00000002.330463227.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000019.00000002.300936350.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000019.00000002.300936350.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000019.00000002.300936350.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000014.00000002.290138059.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000014.00000002.290138059.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000014.00000002.290138059.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000A.00000002.276534690.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000A.00000002.276534690.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000A.00000002.276534690.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000018.00000002.297301031.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000018.00000002.297301031.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000018.00000002.297301031.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000003.404392176.000000000426F000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xc23d:$x1: NanoCore.ClientPluginHost 0x3ee7d:$x1: NanoCore.ClientPluginHost 0x71abd:$x1: NanoCore.ClientPluginHost 0xa46fd:$x1: NanoCore.ClientPluginHost 0xd733d:$x1: NanoCore.ClientPluginHost 0x109f7d:$x1: NanoCore.ClientPluginHost 0x13cbbd:$x1: NanoCore.ClientPluginHost 0x16f7fd:$x1: NanoCore.ClientPluginHost 0x1a243d:$x1: NanoCore.ClientPluginHost 0x1d507d:$x1: NanoCore.ClientPluginHost 0x207cbd:$x1: NanoCore.ClientPluginHost 0x23a8fd:$x1: NanoCore.ClientPluginHost 0x26d53d:$x1: NanoCore.ClientPluginHost 0x2a017d:$x1: NanoCore.ClientPluginHost 0x2d2dbd:$x1: NanoCore.ClientPluginHost 0x3059fd:$x1: NanoCore.ClientPluginHost 0x33863d:$x1: NanoCore.ClientPluginHost 0x36b27d:$x1: NanoCore.ClientPluginHost 0x39debd:$x1: NanoCore.ClientPluginHost 0x3d0afd:$x1: NanoCore.ClientPluginHost 0xc27a:$x2: IClientNetworkHost
00000000.00000003.404392176.000000000426F000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.404392176.000000000426F000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xbfa5:$a: NanoCore 0xbfb5:$a: NanoCore 0xc1e9:$a: NanoCore 0xc1fd:$a: NanoCore 0xc23d:$a: NanoCore 0x3ebe5:$a: NanoCore 0x3ebf5:$a: NanoCore 0x3ee29:$a: NanoCore 0x3ee3d:$a: NanoCore 0x3ee7d:$a: NanoCore 0x71825:$a: NanoCore 0x71835:$a: NanoCore 0x71a69:$a: NanoCore 0x71a7d:$a: NanoCore 0x71abd:$a: NanoCore 0xa4465:$a: NanoCore 0xa4475:$a: NanoCore 0xa46a9:$a: NanoCore 0xa46bd:$a: NanoCore 0xa46fd:$a: NanoCore 0xd70a5:$a: NanoCore
Process Memory Space: FKL.exe PID: 1276	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x22b5:$x1: NanoCore.ClientPluginHost 0x2316:$x2: IClientNetworkHost 0x771b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1568d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: FKL.exe PID: 1276	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: FKL.exe PID: 1276	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1dba:$a: NanoCore 0x1dd6:$a: NanoCore 0x1f31:$a: NanoCore 0x1f40:$a: NanoCore 0x2219:$a: NanoCore 0x2245:$a: NanoCore 0x22b5:$a: NanoCore 0x11cf7:$a: NanoCore 0x11d09:$a: NanoCore 0x11d45:$a: NanoCore 0x1e61:$b: ClientPlugin 0x1f8a:$b: ClientPlugin 0x224e:$b: ClientPlugin 0x22be:$b: ClientPlugin 0x11d12:$b: ClientPlugin 0x11d4e:$b: ClientPlugin 0x20d7:$c: ProjectData 0x11c44:$c: ProjectData 0x3213:$d: DESCrypto 0x125a2:$d: DESCrypto 0xd5a0:$e: KeepAlive
Process Memory Space: FKL.exe PID: 5836	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x25c6:$x1: NanoCore.ClientPluginHost 0x2627:$x2: IClientNetworkHost 0x7a2c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1599e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: FKL.exe PID: 5836	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: FKL.exe PID: 5836	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x20cb:$a: NanoCore 0x20e7:$a: NanoCore 0x2242:$a: NanoCore 0x2251:$a: NanoCore 0x252a:$a: NanoCore 0x2556:$a: NanoCore 0x25c6:$a: NanoCore 0x12008:$a: NanoCore 0x1201a:$a: NanoCore 0x12056:$a: NanoCore 0x2172:$b: ClientPlugin 0x229b:$b: ClientPlugin 0x255f:$b: ClientPlugin 0x25cf:$b: ClientPlugin 0x12023:$b: ClientPlugin 0x1205f:$b: ClientPlugin 0x23e8:$c: ProjectData 0x11f55:$c: ProjectData 0x3524:$d: DESCrypto 0x128b3:$d: DESCrypto 0xd8b1:$e: KeepAlive
Process Memory Space: FKL.exe PID: 6116	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x25da:$x1: NanoCore.ClientPluginHost 0x263b:$x2: IClientNetworkHost 0x7a40:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x159b2:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: FKL.exe PID: 6116	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: FKL.exe PID: 6116	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x20df:$a: NanoCore 0x20fb:$a: NanoCore 0x2256:$a: NanoCore 0x2265:$a: NanoCore 0x253e:$a: NanoCore 0x256a:$a: NanoCore 0x25da:$a: NanoCore 0x1201c:$a: NanoCore 0x1202e:$a: NanoCore 0x1206a:$a: NanoCore 0x2186:$b: ClientPlugin 0x22af:$b: ClientPlugin 0x2573:$b: ClientPlugin 0x25e3:$b: ClientPlugin 0x12037:$b: ClientPlugin 0x12073:$b: ClientPlugin 0x23fc:$c: ProjectData 0x11f69:$c: ProjectData 0x3538:$d: DESCrypto 0x128c7:$d: DESCrypto 0xd8c5:$e: KeepAlive
Process Memory Space: FKL.exe PID: 5568	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x255b82:$x1: NanoCore.ClientPluginHost 0x255be3:$x2: IClientNetworkHost 0x25afe8:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x268f5a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: FKL.exe PID: 5568	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: FKL.exe PID: 5568	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x255687:$a: NanoCore 0x2556a3:$a: NanoCore 0x2557fe:$a: NanoCore 0x25580d:$a: NanoCore 0x255ae6:$a: NanoCore 0x255b12:$a: NanoCore 0x255b82:$a: NanoCore 0x2655c4:$a: NanoCore 0x2655d6:$a: NanoCore 0x265612:$a: NanoCore 0x25572e:$b: ClientPlugin 0x255857:$b: ClientPlugin 0x255b1b:$b: ClientPlugin 0x255b8b:$b: ClientPlugin 0x2655df:$b: ClientPlugin 0x26561b:$b: ClientPlugin 0x2559a4:$c: ProjectData 0x265511:$c: ProjectData 0x256ae0:$d: DESCrypto 0x265e6f:$d: DESCrypto 0x260e6d:$e: KeepAlive
Process Memory Space: FKL.exe PID: 1268	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x121f9d:$x1: NanoCore.ClientPluginHost 0x121ffe:$x2: IClientNetworkHost 0x127403:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x135375:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: FKL.exe PID: 1268	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: FKL.exe PID: 1268	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x121aa2:$a: NanoCore 0x121abe:$a: NanoCore 0x121c19:$a: NanoCore 0x121c28:$a: NanoCore 0x121f01:$a: NanoCore 0x121f2d:$a: NanoCore 0x121f9d:$a: NanoCore 0x1319df:$a: NanoCore 0x1319f1:$a: NanoCore 0x131a2d:$a: NanoCore 0x121b49:$b: ClientPlugin 0x121c72:$b: ClientPlugin 0x121f36:$b: ClientPlugin 0x121fa6:$b: ClientPlugin 0x1319fa:$b: ClientPlugin 0x131a36:$b: ClientPlugin 0x121dbf:$c: ProjectData 0x13192c:$c: ProjectData 0x122efb:$d: DESCrypto 0x13228a:$d: DESCrypto 0x12d288:$e: KeepAlive
Process Memory Space: FKL.exe PID: 5860	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13672c:$x1: NanoCore.ClientPluginHost 0x13678d:$x2: IClientNetworkHost 0x13bb92:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x149b04:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: FKL.exe PID: 5860	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: FKL.exe PID: 5860	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x136231:$a: NanoCore 0x13624d:$a: NanoCore 0x1363a8:$a: NanoCore 0x1363b7:$a: NanoCore 0x136690:$a: NanoCore 0x1366bc:$a: NanoCore 0x13672c:$a: NanoCore 0x14616e:$a: NanoCore 0x146180:$a: NanoCore 0x1461bc:$a: NanoCore 0x1362d8:$b: ClientPlugin 0x136401:$b: ClientPlugin 0x1366c5:$b: ClientPlugin 0x136735:$b: ClientPlugin 0x146189:$b: ClientPlugin 0x1461c5:$b: ClientPlugin 0x13654e:$c: ProjectData 0x1460bb:$c: ProjectData 0x13768a:$d: DESCrypto 0x146a19:$d: DESCrypto 0x141a17:$e: KeepAlive
Process Memory Space: FKL.exe PID: 5040	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x256062:$x1: NanoCore.ClientPluginHost 0x2560c3:$x2: IClientNetworkHost 0x25b4c8:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x26943a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: FKL.exe PID: 5040	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: FKL.exe PID: 5040	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x255b67:$a: NanoCore 0x255b83:$a: NanoCore 0x255cde:$a: NanoCore 0x255ced:$a: NanoCore 0x255fc6:$a: NanoCore 0x255ff2:$a: NanoCore 0x256062:$a: NanoCore 0x265aa4:$a: NanoCore 0x265ab6:$a: NanoCore 0x265af2:$a: NanoCore 0x255c0e:$b: ClientPlugin 0x255d37:$b: ClientPlugin 0x255ffb:$b: ClientPlugin 0x25606b:$b: ClientPlugin 0x265abf:$b: ClientPlugin 0x265afb:$b: ClientPlugin 0x255e84:$c: ProjectData 0x2659f1:$c: ProjectData 0x256fc0:$d: DESCrypto 0x26634f:$d: DESCrypto 0x26134d:$e: KeepAlive
Process Memory Space: FKL.exe PID: 5540	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x257ba7:$x1: NanoCore.ClientPluginHost 0x257c08:$x2: IClientNetworkHost 0x25d00d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x26af7f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: FKL.exe PID: 5540	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: FKL.exe PID: 5540	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2576ac:$a: NanoCore 0x2576c8:$a: NanoCore 0x257823:$a: NanoCore 0x257832:$a: NanoCore 0x257b0b:$a: NanoCore 0x257b37:$a: NanoCore 0x257ba7:$a: NanoCore 0x2675e9:$a: NanoCore 0x2675fb:$a: NanoCore 0x267637:$a: NanoCore 0x257753:$b: ClientPlugin 0x25787c:$b: ClientPlugin 0x257b40:$b: ClientPlugin 0x257bb0:$b: ClientPlugin 0x267604:$b: ClientPlugin 0x267640:$b: ClientPlugin 0x2579c9:$c: ProjectData 0x267536:$c: ProjectData 0x258b05:$d: DESCrypto 0x267e94:$d: DESCrypto 0x262e92:$e: KeepAlive
Process Memory Space: FKL.exe PID: 1412	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x136287:$x1: NanoCore.ClientPluginHost 0x1362e8:$x2: IClientNetworkHost 0x13b6ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x14965f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: FKL.exe PID: 1412	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: FKL.exe PID: 1412	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x135d8c:$a: NanoCore 0x135da8:$a: NanoCore 0x135f03:$a: NanoCore 0x135f12:$a: NanoCore 0x1361eb:$a: NanoCore 0x136217:$a: NanoCore 0x136287:$a: NanoCore 0x145cc9:$a: NanoCore 0x145cdb:$a: NanoCore 0x145d17:$a: NanoCore 0x135e33:$b: ClientPlugin 0x135f5c:$b: ClientPlugin 0x136220:$b: ClientPlugin 0x136290:$b: ClientPlugin 0x145ce4:$b: ClientPlugin 0x145d20:$b: ClientPlugin 0x1360a9:$c: ProjectData 0x145c16:$c: ProjectData 0x1371e5:$d: DESCrypto 0x146574:$d: DESCrypto 0x141572:$e: KeepAlive
Process Memory Space: FKL.exe PID: 2196	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x121c78:$x1: NanoCore.ClientPluginHost 0x121cd9:$x2: IClientNetworkHost 0x1270de:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x135050:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: FKL.exe PID: 2196	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: FKL.exe PID: 2196	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x12177d:$a: NanoCore 0x121799:$a: NanoCore 0x1218f4:$a: NanoCore 0x121903:$a: NanoCore 0x121bdc:$a: NanoCore 0x121c08:$a: NanoCore 0x121c78:$a: NanoCore 0x1316ba:$a: NanoCore 0x1316cc:$a: NanoCore 0x131708:$a: NanoCore 0x121824:$b: ClientPlugin 0x12194d:$b: ClientPlugin 0x121c11:$b: ClientPlugin 0x121c81:$b: ClientPlugin 0x1316d5:$b: ClientPlugin 0x131711:$b: ClientPlugin 0x121a9a:$c: ProjectData 0x131607:$c: ProjectData 0x122bd6:$d: DESCrypto 0x131f65:$d: DESCrypto 0x12cf63:$e: KeepAlive
Click to see the 97 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
11.2.FKL.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.FKL.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
36.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
36.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
36.2.FKL.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
36.2.FKL.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
39.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
39.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
39.2.FKL.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
39.2.FKL.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
24.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
24.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
24.2.FKL.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
24.2.FKL.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
20.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
20.2.FKL.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.FKL.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
31.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
31.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
31.2.FKL.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
31.2.FKL.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.2.FKL.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.FKL.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
28.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
28.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
28.2.FKL.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
28.2.FKL.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.2.FKL.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.FKL.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
34.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
34.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
34.2.FKL.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
34.2.FKL.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
35.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
35.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
35.2.FKL.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
35.2.FKL.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
25.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
25.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
25.2.FKL.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
25.2.FKL.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
27.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
27.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
27.2.FKL.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
27.2.FKL.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
29.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
29.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
29.2.FKL.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
29.2.FKL.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
37.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
37.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
37.2.FKL.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
37.2.FKL.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
8.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
8.2.FKL.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.FKL.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
13.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
13.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
13.2.FKL.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.FKL.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
26.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
26.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
26.2.FKL.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
26.2.FKL.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
32.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
32.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
32.2.FKL.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
32.2.FKL.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
9.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
9.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
9.2.FKL.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.FKL.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
38.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
38.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
38.2.FKL.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
38.2.FKL.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
15.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
15.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
15.2.FKL.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.FKL.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
10.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
10.2.FKL.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
10.2.FKL.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.FKL.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
Click to see the 87 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 11.2.FKL.exe.400000.0.unpack

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "d42469ca-5662-45f6-9b4c-2ecfba7e", "Group": "Default", "Domain1": "", "Domain2": "hdgavzxcniopkjhsvcbnxmnzvqaswyiokdseacbu.ydns.eu", "Port": 1772, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for submitted file

Show sources

Source: FKL.exe	Virustotal: Detection: 18%			Perma Link
Source: FKL.exe	ReversingLabs: Detection: 29%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000001C.00000002.311600679.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.339595106.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.279746517.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.320115217.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.284872015.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.303777475.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.328008188.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.322465865.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.270944975.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.265424770.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.260196506.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.309408324.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.314015376.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.282305726.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.335683538.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.274217304.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.342982982.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.332921030.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.330463227.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.300936350.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.290138059.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.276534690.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.297301031.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.404392176.000000000426F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 1276, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 5836, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 6116, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 5568, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 1268, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 5860, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 5040, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 5540, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 1412, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 2196, type: MEMORY
Source: Yara match	File source: 11.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: FKL.exe

Joe Sandbox ML: detected

Source: FKL.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: hdgavzxcniopkjhsvcbnxmnzvqaswyiokdseacbu.ydns.eu

Source: FKL.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: FKL.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: FKL.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: FKL.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: FKL.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: FKL.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: FKL.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: FKL.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: FKL.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: FKL.exe	String found in binary or memory: https://www.digicert.com/CPS0

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000001C.00000002.311600679.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.339595106.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.279746517.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.320115217.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.284872015.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.303777475.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.328008188.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.322465865.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.270944975.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.265424770.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.260196506.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.309408324.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.314015376.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.282305726.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.335683538.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.274217304.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.342982982.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.332921030.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.330463227.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.300936350.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.290138059.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.276534690.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.297301031.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.404392176.000000000426F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 1276, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 5836, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 6116, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 5568, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 1268, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 5860, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 5040, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 5540, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 1412, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 2196, type: MEMORY
Source: Yara match	File source: 11.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000001C.00000002.311600679.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001C.00000002.311600679.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000026.00000002.339595106.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000026.00000002.339595106.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.279746517.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.279746517.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001F.00000002.320115217.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001F.00000002.320115217.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.284872015.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.284872015.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000002.303777475.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001A.00000002.303777475.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000002.328008188.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000022.00000002.328008188.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000020.00000002.322465865.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000020.00000002.322465865.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.270944975.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.270944975.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.265424770.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.265424770.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.260196506.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.260196506.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.309408324.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001B.00000002.309408324.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001D.00000002.314015376.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001D.00000002.314015376.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.282305726.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.282305726.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000025.00000002.335683538.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000025.00000002.335683538.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.274217304.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.274217304.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000027.00000002.342982982.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000027.00000002.342982982.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000024.00000002.332921030.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000024.00000002.332921030.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000023.00000002.330463227.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000023.00000002.330463227.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000019.00000002.300936350.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000019.00000002.300936350.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.290138059.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.290138059.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.276534690.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.276534690.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000002.297301031.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000002.297301031.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.404392176.000000000426F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.404392176.000000000426F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: FKL.exe PID: 1276, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: FKL.exe PID: 1276, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: FKL.exe PID: 5836, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: FKL.exe PID: 5836, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: FKL.exe PID: 6116, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: FKL.exe PID: 6116, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: FKL.exe PID: 5568, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: FKL.exe PID: 5568, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: FKL.exe PID: 1268, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: FKL.exe PID: 1268, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: FKL.exe PID: 5860, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: FKL.exe PID: 5860, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: FKL.exe PID: 5040, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: FKL.exe PID: 5040, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: FKL.exe PID: 5540, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: FKL.exe PID: 5540, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: FKL.exe PID: 1412, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: FKL.exe PID: 1412, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: FKL.exe PID: 2196, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: FKL.exe PID: 2196, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 36.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 36.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 39.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 39.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 31.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 31.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 28.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 34.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 35.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 35.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 25.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 25.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 29.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 29.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 37.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 37.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 26.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 26.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 32.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 32.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 38.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 38.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: FKL.exe

Static PE information: invalid certificate

Source: FKL.exe, 00000000.00000000.232391273.0000000000862000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs FKL.exe
Source: FKL.exe, 00000000.00000003.404392176.000000000426F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameHMIr IzM.exe2 vs FKL.exe
Source: FKL.exe, 00000005.00000000.259487742.0000000000952000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs FKL.exe
Source: FKL.exe, 00000007.00000000.263613268.0000000000B92000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs FKL.exe
Source: FKL.exe, 00000008.00000000.270291539.0000000001052000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs FKL.exe
Source: FKL.exe, 00000009.00000002.274628751.0000000000E52000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs FKL.exe
Source: FKL.exe, 0000000A.00000000.275873725.00000000006D2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs FKL.exe
Source: FKL.exe, 0000000B.00000002.280858470.00000000011E2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs FKL.exe
Source: FKL.exe, 0000000D.00000000.281378452.0000000000872000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs FKL.exe
Source: FKL.exe, 0000000F.00000002.285289923.0000000001232000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs FKL.exe
Source: FKL.exe, 00000012.00000002.287444258.0000000000622000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs FKL.exe
Source: FKL.exe, 00000014.00000002.290432688.0000000000782000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs FKL.exe
Source: FKL.exe, 00000016.00000000.291737872.0000000000452000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs FKL.exe
Source: FKL.exe, 00000017.00000002.295986090.00000000005B2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs FKL.exe
Source: FKL.exe, 00000018.00000000.296727664.00000000011D2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs FKL.exe
Source: FKL.exe, 00000019.00000000.300222704.0000000000D42000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs FKL.exe
Source: FKL.exe, 0000001A.00000002.304131194.0000000000C62000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs FKL.exe
Source: FKL.exe, 0000001B.00000002.309806762.00000000008A2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs FKL.exe
Source: FKL.exe, 0000001C.00000002.312058974.0000000001022000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs FKL.exe
Source: FKL.exe, 0000001D.00000002.314384826.0000000000E42000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs FKL.exe
Source: FKL.exe, 0000001E.00000000.315682859.00000000005E2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs FKL.exe
Source: FKL.exe, 0000001F.00000002.320395663.0000000000842000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs FKL.exe
Source: FKL.exe, 00000020.00000000.321796902.00000000010F2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs FKL.exe
Source: FKL.exe, 00000021.00000002.326108746.0000000000362000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs FKL.exe
Source: FKL.exe, 00000022.00000002.328389736.0000000000ED2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs FKL.exe
Source: FKL.exe, 00000023.00000000.329742208.0000000001212000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs FKL.exe
Source: FKL.exe, 00000024.00000002.334532992.0000000000CA2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs FKL.exe
Source: FKL.exe, 00000025.00000000.334692344.0000000000792000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs FKL.exe
Source: FKL.exe, 00000026.00000000.338712638.0000000000F62000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs FKL.exe
Source: FKL.exe, 00000027.00000002.343446698.0000000001182000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs FKL.exe
Source: FKL.exe	Binary or memory string: OriginalFilenamevalueinfiniteVM.exe@ vs FKL.exe

Source: 0000001C.00000002.311600679.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001C.00000002.311600679.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000026.00000002.339595106.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000026.00000002.339595106.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.279746517.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.279746517.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001F.00000002.320115217.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001F.00000002.320115217.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.284872015.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.284872015.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001A.00000002.303777475.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001A.00000002.303777475.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000022.00000002.328008188.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000022.00000002.328008188.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000020.00000002.322465865.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000020.00000002.322465865.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.270944975.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.270944975.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.265424770.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.265424770.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.260196506.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.260196506.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000002.309408324.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001B.00000002.309408324.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001D.00000002.314015376.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001D.00000002.314015376.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.282305726.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.282305726.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000025.00000002.335683538.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000025.00000002.335683538.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.274217304.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.274217304.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000027.00000002.342982982.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000027.00000002.342982982.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000024.00000002.332921030.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000024.00000002.332921030.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000023.00000002.330463227.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000023.00000002.330463227.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000019.00000002.300936350.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000019.00000002.300936350.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000014.00000002.290138059.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.290138059.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000A.00000002.276534690.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000002.276534690.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000002.297301031.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000002.297301031.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.404392176.000000000426F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.404392176.000000000426F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: FKL.exe PID: 1276, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: FKL.exe PID: 1276, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: FKL.exe PID: 5836, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: FKL.exe PID: 5836, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: FKL.exe PID: 6116, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: FKL.exe PID: 6116, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: FKL.exe PID: 5568, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: FKL.exe PID: 5568, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: FKL.exe PID: 1268, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: FKL.exe PID: 1268, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: FKL.exe PID: 5860, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: FKL.exe PID: 5860, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: FKL.exe PID: 5040, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: FKL.exe PID: 5040, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: FKL.exe PID: 5540, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: FKL.exe PID: 5540, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: FKL.exe PID: 1412, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: FKL.exe PID: 1412, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: FKL.exe PID: 2196, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: FKL.exe PID: 2196, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 36.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 36.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 36.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 39.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 39.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 39.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 31.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 31.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 31.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 28.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 28.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 34.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 34.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 35.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 35.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 35.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 25.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 25.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 27.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 29.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 29.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 37.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 37.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 37.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 26.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 26.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 26.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 32.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 32.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 32.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 38.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 38.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 38.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: classification engine

Classification label: mal92.troj.evad.winEXE@261/0@0/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6060:120:WilError_01

Source: FKL.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\FKL.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\FKL.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\FKL.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: FKL.exe	Virustotal: Detection: 18%
Source: FKL.exe	ReversingLabs: Detection: 29%

Source: unknown	Process created: C:\Users\user\Desktop\FKL.exe 'C:\Users\user\Desktop\FKL.exe'
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1

Source: C:\Users\user\Desktop\FKL.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: FKL.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: FKL.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: FKL.exe

Static file information: File size 2360024 > 1048576

Source: FKL.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x23e400

Source: FKL.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: FKL.exe

Static PE information: 0xD9F65925 [Sat Nov 17 01:55:49 2085 UTC]

Source: C:\Users\user\Desktop\FKL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FKL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FKL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FKL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FKL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FKL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FKL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FKL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FKL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FKL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FKL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FKL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FKL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FKL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FKL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FKL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FKL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FKL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FKL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FKL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FKL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FKL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FKL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FKL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FKL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FKL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FKL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FKL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FKL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FKL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FKL.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\FKL.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\FKL.exe

Process information queried: ProcessInformation

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\FKL.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\FKL.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\FKL.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\FKL.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\FKL.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\FKL.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\FKL.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\FKL.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\FKL.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\FKL.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\FKL.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\FKL.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\FKL.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\FKL.exe

Process token adjusted: Debug

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\FKL.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: C:\Users\user\Desktop\FKL.exe C:\Users\user\Desktop\FKL.exe
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\FKL.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1

Source: C:\Users\user\Desktop\FKL.exe	Queries volume information: C:\Users\user\Desktop\FKL.exe VolumeInformation
Source: C:\Users\user\Desktop\FKL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\FKL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\Desktop\FKL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\Desktop\FKL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Users\user\Desktop\FKL.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000001C.00000002.311600679.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.339595106.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.279746517.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.320115217.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.284872015.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.303777475.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.328008188.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.322465865.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.270944975.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.265424770.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.260196506.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.309408324.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.314015376.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.282305726.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.335683538.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.274217304.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.342982982.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.332921030.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.330463227.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.300936350.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.290138059.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.276534690.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.297301031.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.404392176.000000000426F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 1276, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 5836, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 6116, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 5568, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 1268, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 5860, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 5040, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 5540, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 1412, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 2196, type: MEMORY
Source: Yara match	File source: 11.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: FKL.exe, 00000000.00000003.404392176.000000000426F000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: FKL.exe, 00000005.00000002.260196506.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: FKL.exe, 00000007.00000002.265424770.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: FKL.exe, 00000008.00000002.270944975.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: FKL.exe, 00000009.00000002.274217304.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: FKL.exe, 0000000A.00000002.276534690.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: FKL.exe, 0000000B.00000002.279746517.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: FKL.exe, 0000000D.00000002.282305726.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: FKL.exe, 0000000F.00000002.284872015.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: FKL.exe, 00000014.00000002.290138059.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: FKL.exe, 00000018.00000002.297301031.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: FKL.exe, 00000019.00000002.300936350.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: FKL.exe, 0000001A.00000002.303777475.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: FKL.exe, 0000001B.00000002.309408324.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: FKL.exe, 0000001C.00000002.311600679.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: FKL.exe, 0000001D.00000002.314015376.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: FKL.exe, 0000001F.00000002.320115217.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: FKL.exe, 00000020.00000002.322465865.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: FKL.exe, 00000022.00000002.328008188.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: FKL.exe, 00000023.00000002.330463227.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: FKL.exe, 00000024.00000002.332921030.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: FKL.exe, 00000025.00000002.335683538.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: FKL.exe, 00000026.00000002.339595106.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: FKL.exe, 00000027.00000002.342982982.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000001C.00000002.311600679.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.339595106.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.279746517.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.320115217.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.284872015.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.303777475.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.328008188.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.322465865.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.270944975.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.265424770.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.260196506.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.309408324.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.314015376.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.282305726.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.335683538.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.274217304.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.342982982.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.332921030.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.330463227.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.300936350.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.290138059.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.276534690.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.297301031.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.404392176.000000000426F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 1276, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 5836, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 6116, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 5568, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 1268, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 5860, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 5040, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 5540, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 1412, type: MEMORY
Source: Yara match	File source: Process Memory Space: FKL.exe PID: 2196, type: MEMORY
Source: Yara match	File source: 11.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.FKL.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection11	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery11	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Remote Access Software1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection11	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Timestomp1	NTDS	File and Directory Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Information Discovery12	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
FKL.exe	19%	Virustotal		Browse
FKL.exe	30%	ReversingLabs	ByteCode-MSIL.Trojan.NanoBot
FKL.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
11.2.FKL.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
39.2.FKL.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
36.2.FKL.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
24.2.FKL.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
20.2.FKL.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
31.2.FKL.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
5.2.FKL.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
28.2.FKL.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
7.2.FKL.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
25.2.FKL.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
35.2.FKL.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
27.2.FKL.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
29.2.FKL.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
34.2.FKL.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
37.2.FKL.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
8.2.FKL.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
9.2.FKL.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
13.2.FKL.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
26.2.FKL.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
32.2.FKL.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
15.2.FKL.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
38.2.FKL.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
10.2.FKL.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
	0%	Avira URL Cloud	safe
hdgavzxcniopkjhsvcbnxmnzvqaswyiokdseacbu.ydns.eu	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
	true	Avira URL Cloud: safe	low
hdgavzxcniopkjhsvcbnxmnzvqaswyiokdseacbu.ydns.eu	true	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	412287
Start date:	12.05.2021
Start time:	15:23:06
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 30s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	FKL.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.troj.evad.winEXE@261/0@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 98.2% (good quality ratio 17.2%) Quality average: 8.8% Quality standard deviation: 20.2%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Report creation exceeded maximum time and may have missing disassembly code information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found. Report size getting too big, too many NtWriteVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	2.6491481932445597
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	FKL.exe
File size:	2360024
MD5:	5ec0dae4627e5c2bfedb9eec381df4c9
SHA1:	bc1961f41857da071ae28d44060b2ffe5644c715
SHA256:	d08baa103db6d39e3d3ec218fef3b9b368e1cee78c25c0abc0cb551d1ff28b36
SHA512:	1bfe190a6741aca4ce51c4fbadf565178b9753c16d8d9cded289903536dde91b87d4255a877053a48db53341c2f4bb3265f051ee2d51431516840d3091db50f3
SSDEEP:	1536:qog+I7CudBSHSQKkVdFuqcmq39aH6kxLjPFjAcP+bWP6SZgIFihUgrClFYeUmLh6:qyIZ9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%Y............"...0...#...........$.. ... $...@.. .......................`$......~$...@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x6403de
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0xD9F65925 [Sat Nov 17 01:55:49 2085 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	C=k9ae7Q6u28J059tdv3I3dld564Pf, S=sc9RSV74HfKf2a5, L=o4a4U6Zu858exq3eIdfOpG, T=3855e6akTxz98uJe5jb, E=q9y1dQ303ccu9Lkg4E83aS58c65486t3983q14c2Tc49cS, OU=6Fcdx9c8fb87feecb838Lc94d7Sc35ccslg2n36G54I1A3, O=rclilcTcia71nfbNefcdf3cc367dnc5ro, CN=6ad6aL7NF36P6qbb4e29aEe5
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	5/11/2021 4:26:20 AM 5/11/2022 4:26:20 AM
Subject Chain	C=k9ae7Q6u28J059tdv3I3dld564Pf, S=sc9RSV74HfKf2a5, L=o4a4U6Zu858exq3eIdfOpG, T=3855e6akTxz98uJe5jb, E=q9y1dQ303ccu9Lkg4E83aS58c65486t3983q14c2Tc49cS, OU=6Fcdx9c8fb87feecb838Lc94d7Sc35ccslg2n36G54I1A3, O=rclilcTcia71nfbNefcdf3cc367dnc5ro, CN=6ad6aL7NF36P6qbb4e29aEe5
Version:	3
Thumbprint MD5:	5B762F169742E82CEED3FEFE3783DDF4
Thumbprint SHA-1:	DC2C87C05A0596969F3F685FFF739CC1D87F8035
Thumbprint SHA-256:	29BF0DC9535942B28A0BA45EFD0119BB0FE73B4A25FA103B72986971AAA11002
Serial:	0097D7F146EA1B23B3F4442D651D0A84AF

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x240384	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x242000	0x5d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x23ee00	0x14d8	.text
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x244000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x23e3e4	0x23e400	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x242000	0x5d8	0x600	False	0.421223958333	data	4.14409791451	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x244000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x2420a0	0x34c	data
RT_MANIFEST	0x2423ec	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2021
Assembly Version	1.0.0.0
InternalName	valueinfiniteVM.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	valueinfiniteVM
ProductVersion	1.0.0.0
FileDescription	valueinfiniteVM
OriginalFilename	valueinfiniteVM.exe

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: FKL.exe PID: 964 Parent PID: 5664

General

Start time:	15:23:59
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\FKL.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\FKL.exe'
Imagebase:	0x620000
File size:	2360024 bytes
MD5 hash:	5EC0DAE4627E5C2BFEDB9EEC381DF4C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.404392176.000000000426F000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.404392176.000000000426F000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.404392176.000000000426F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: cmd.exe PID: 6008 Parent PID: 964

General

Start time:	15:24:08
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c timeout 1
Imagebase:	0x11c0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6060 Parent PID: 6008

General

Start time:	15:24:09
Start date:	12/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: timeout.exe PID: 5876 Parent PID: 6008

General

Start time:	15:24:09
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 1
Imagebase:	0x150000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: FKL.exe PID: 5860 Parent PID: 964

General

Start time:	15:24:11
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\FKL.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\FKL.exe
Imagebase:	0x710000
File size:	2360024 bytes
MD5 hash:	5EC0DAE4627E5C2BFEDB9EEC381DF4C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.260196506.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.260196506.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.260196506.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: FKL.exe PID: 2968 Parent PID: 964

General

Start time:	15:24:12
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\FKL.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\FKL.exe
Imagebase:	0x950000
File size:	2360024 bytes
MD5 hash:	5EC0DAE4627E5C2BFEDB9EEC381DF4C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.265424770.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.265424770.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.265424770.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: FKL.exe PID: 4752 Parent PID: 964

General

Start time:	15:24:15
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\FKL.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\FKL.exe
Imagebase:	0x7ff797770000
File size:	2360024 bytes
MD5 hash:	5EC0DAE4627E5C2BFEDB9EEC381DF4C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.270944975.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.270944975.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000002.270944975.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: FKL.exe PID: 204 Parent PID: 964

General

Start time:	15:24:17
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\FKL.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\FKL.exe
Imagebase:	0xc10000
File size:	2360024 bytes
MD5 hash:	5EC0DAE4627E5C2BFEDB9EEC381DF4C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.274217304.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.274217304.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000009.00000002.274217304.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: FKL.exe PID: 960 Parent PID: 964

General

Start time:	15:24:19
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\FKL.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\FKL.exe
Imagebase:	0x490000
File size:	2360024 bytes
MD5 hash:	5EC0DAE4627E5C2BFEDB9EEC381DF4C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.276534690.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.276534690.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.276534690.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: FKL.exe PID: 1396 Parent PID: 964

General

Start time:	15:24:20
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\FKL.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\FKL.exe
Imagebase:	0xfa0000
File size:	2360024 bytes
MD5 hash:	5EC0DAE4627E5C2BFEDB9EEC381DF4C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.279746517.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.279746517.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.279746517.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: FKL.exe PID: 3092 Parent PID: 964

General

Start time:	15:24:21
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\FKL.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\FKL.exe
Imagebase:	0x630000
File size:	2360024 bytes
MD5 hash:	5EC0DAE4627E5C2BFEDB9EEC381DF4C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.282305726.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.282305726.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.282305726.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: FKL.exe PID: 3596 Parent PID: 964

General

Start time:	15:24:23
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\FKL.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\FKL.exe
Imagebase:	0xff0000
File size:	2360024 bytes
MD5 hash:	5EC0DAE4627E5C2BFEDB9EEC381DF4C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.284872015.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.284872015.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.284872015.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: FKL.exe PID: 2884 Parent PID: 964

General

Start time:	15:24:24
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\FKL.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\FKL.exe
Imagebase:	0x3e0000
File size:	2360024 bytes
MD5 hash:	5EC0DAE4627E5C2BFEDB9EEC381DF4C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: FKL.exe PID: 5040 Parent PID: 964

General

Start time:	15:24:25
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\FKL.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\FKL.exe
Imagebase:	0x540000
File size:	2360024 bytes
MD5 hash:	5EC0DAE4627E5C2BFEDB9EEC381DF4C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.290138059.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.290138059.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000014.00000002.290138059.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: FKL.exe PID: 2544 Parent PID: 964

General

Start time:	15:24:26
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\FKL.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\FKL.exe
Imagebase:	0x210000
File size:	2360024 bytes
MD5 hash:	5EC0DAE4627E5C2BFEDB9EEC381DF4C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: FKL.exe PID: 6084 Parent PID: 964

General

Start time:	15:24:27
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\FKL.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\FKL.exe
Imagebase:	0x370000
File size:	2360024 bytes
MD5 hash:	5EC0DAE4627E5C2BFEDB9EEC381DF4C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: FKL.exe PID: 5540 Parent PID: 964

General

Start time:	15:24:29
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\FKL.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\FKL.exe
Imagebase:	0xf90000
File size:	2360024 bytes
MD5 hash:	5EC0DAE4627E5C2BFEDB9EEC381DF4C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000018.00000002.297301031.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.297301031.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000018.00000002.297301031.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: FKL.exe PID: 5676 Parent PID: 964

General

Start time:	15:24:30
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\FKL.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\FKL.exe
Imagebase:	0xb00000
File size:	2360024 bytes
MD5 hash:	5EC0DAE4627E5C2BFEDB9EEC381DF4C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000019.00000002.300936350.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.300936350.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000019.00000002.300936350.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: FKL.exe PID: 5568 Parent PID: 964

General

Start time:	15:24:31
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\FKL.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\FKL.exe
Imagebase:	0xa20000
File size:	2360024 bytes
MD5 hash:	5EC0DAE4627E5C2BFEDB9EEC381DF4C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001A.00000002.303777475.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001A.00000002.303777475.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001A.00000002.303777475.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: FKL.exe PID: 2268 Parent PID: 964

General

Start time:	15:24:33
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\FKL.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\FKL.exe
Imagebase:	0x660000
File size:	2360024 bytes
MD5 hash:	5EC0DAE4627E5C2BFEDB9EEC381DF4C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000002.309408324.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000002.309408324.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001B.00000002.309408324.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: FKL.exe PID: 1412 Parent PID: 964

General

Start time:	15:24:35
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\FKL.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\FKL.exe
Imagebase:	0xde0000
File size:	2360024 bytes
MD5 hash:	5EC0DAE4627E5C2BFEDB9EEC381DF4C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001C.00000002.311600679.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000002.311600679.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001C.00000002.311600679.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: FKL.exe PID: 1268 Parent PID: 964

General

Start time:	15:24:36
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\FKL.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\FKL.exe
Imagebase:	0xc00000
File size:	2360024 bytes
MD5 hash:	5EC0DAE4627E5C2BFEDB9EEC381DF4C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000002.314015376.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000002.314015376.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001D.00000002.314015376.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: FKL.exe PID: 1100 Parent PID: 964

General

Start time:	15:24:37
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\FKL.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\FKL.exe
Imagebase:	0x7ff797770000
File size:	2360024 bytes
MD5 hash:	5EC0DAE4627E5C2BFEDB9EEC381DF4C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: FKL.exe PID: 2196 Parent PID: 964

General

Start time:	15:24:38
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\FKL.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\FKL.exe
Imagebase:	0x600000
File size:	2360024 bytes
MD5 hash:	5EC0DAE4627E5C2BFEDB9EEC381DF4C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001F.00000002.320115217.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001F.00000002.320115217.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001F.00000002.320115217.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: FKL.exe PID: 5836 Parent PID: 964

General

Start time:	15:24:40
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\FKL.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\FKL.exe
Imagebase:	0xeb0000
File size:	2360024 bytes
MD5 hash:	5EC0DAE4627E5C2BFEDB9EEC381DF4C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000020.00000002.322465865.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000020.00000002.322465865.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000020.00000002.322465865.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: FKL.exe PID: 1280 Parent PID: 964

General

Start time:	15:24:41
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\FKL.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\FKL.exe
Imagebase:	0x120000
File size:	2360024 bytes
MD5 hash:	5EC0DAE4627E5C2BFEDB9EEC381DF4C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: FKL.exe PID: 1276 Parent PID: 964

General

Start time:	15:24:43
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\FKL.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\FKL.exe
Imagebase:	0xc90000
File size:	2360024 bytes
MD5 hash:	5EC0DAE4627E5C2BFEDB9EEC381DF4C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.328008188.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000002.328008188.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000022.00000002.328008188.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: FKL.exe PID: 1236 Parent PID: 964

General

Start time:	15:24:44
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\FKL.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\FKL.exe
Imagebase:	0x7ff797770000
File size:	2360024 bytes
MD5 hash:	5EC0DAE4627E5C2BFEDB9EEC381DF4C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000023.00000002.330463227.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000023.00000002.330463227.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000023.00000002.330463227.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: FKL.exe PID: 5020 Parent PID: 964

General

Start time:	15:24:45
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\FKL.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\FKL.exe
Imagebase:	0xa60000
File size:	2360024 bytes
MD5 hash:	5EC0DAE4627E5C2BFEDB9EEC381DF4C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000024.00000002.332921030.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000024.00000002.332921030.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000024.00000002.332921030.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: FKL.exe PID: 3584 Parent PID: 964

General

Start time:	15:24:46
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\FKL.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\FKL.exe
Imagebase:	0x550000
File size:	2360024 bytes
MD5 hash:	5EC0DAE4627E5C2BFEDB9EEC381DF4C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000025.00000002.335683538.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000025.00000002.335683538.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000025.00000002.335683538.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: FKL.exe PID: 5988 Parent PID: 964

General

Start time:	15:24:48
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\FKL.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\FKL.exe
Imagebase:	0xd20000
File size:	2360024 bytes
MD5 hash:	5EC0DAE4627E5C2BFEDB9EEC381DF4C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000026.00000002.339595106.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000026.00000002.339595106.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000026.00000002.339595106.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: FKL.exe PID: 6116 Parent PID: 964

General

Start time:	15:24:50
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\FKL.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\FKL.exe
Imagebase:	0xf40000
File size:	2360024 bytes
MD5 hash:	5EC0DAE4627E5C2BFEDB9EEC381DF4C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000027.00000002.342982982.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000027.00000002.342982982.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000027.00000002.342982982.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report FKL.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: FKL.exe PID: 964 Parent PID: 5664

General

Analysis Process: cmd.exe PID: 6008 Parent PID: 964