Play interactive tour

Edit tour

Windows Analysis Report iGZtra5EaP.exe

Overview

General Information

Sample Name:	iGZtra5EaP.exe
Analysis ID:	458908
MD5:	5abfc84b2a671617a4930a61e218b6c6
SHA1:	fb2e5175272b90aa204853dd2ba2dc175ff5958f
SHA256:	776e6e841b2a1b1dacd2beb12f76949dc9a395a45bd7107475d90b60f09e5f39
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AntiVM3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

iGZtra5EaP.exe (PID: 5832 cmdline: 'C:\Users\user\Desktop\iGZtra5EaP.exe' MD5: 5ABFC84B2A671617A4930A61E218B6C6)

schtasks.exe (PID: 6008 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp3997.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

iGZtra5EaP.exe (PID: 4720 cmdline: {path} MD5: 5ABFC84B2A671617A4930A61E218B6C6)

schtasks.exe (PID: 4664 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp489A.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 2588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5556 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp4CC2.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

iGZtra5EaP.exe (PID: 1288 cmdline: C:\Users\user\Desktop\iGZtra5EaP.exe 0 MD5: 5ABFC84B2A671617A4930A61E218B6C6)

schtasks.exe (PID: 5044 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpF219.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

iGZtra5EaP.exe (PID: 5016 cmdline: {path} MD5: 5ABFC84B2A671617A4930A61E218B6C6)

dhcpmon.exe (PID: 496 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 5ABFC84B2A671617A4930A61E218B6C6)

schtasks.exe (PID: 5004 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpF5E2.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 1324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 3008 cmdline: {path} MD5: 5ABFC84B2A671617A4930A61E218B6C6)

dhcpmon.exe (PID: 5756 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 5ABFC84B2A671617A4930A61E218B6C6)

schtasks.exe (PID: 1036 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp63D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 5200 cmdline: {path} MD5: 5ABFC84B2A671617A4930A61E218B6C6)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "f0d143be-967c-4293-98d3-3a1e128b", "Group": "BotNet", "Domain1": "microsoftsecurity.sytes.net", "Domain2": "backupnew.duckdns.org", "Port": 1177, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000001B.00000002.417862891.0000000002A11000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001B.00000002.417862891.0000000002A11000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6934b:$a: NanoCore 0x693a4:$a: NanoCore 0x693e1:$a: NanoCore 0x6945a:$a: NanoCore 0x693ad:$b: ClientPlugin 0x693ea:$b: ClientPlugin 0x69ce8:$b: ClientPlugin 0x69cf5:$b: ClientPlugin 0x5f4d6:$e: KeepAlive 0x69835:$g: LogClientMessage 0x697b5:$i: get_Connected 0x59781:$j: #=q 0x597b1:$j: #=q 0x597ed:$j: #=q 0x59815:$j: #=q 0x59845:$j: #=q 0x59875:$j: #=q 0x598a5:$j: #=q 0x598d5:$j: #=q 0x598f1:$j: #=q 0x59921:$j: #=q
0000000C.00000002.482078580.0000000006E40000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
0000000C.00000002.482078580.0000000006E40000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
00000021.00000002.428437498.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000021.00000002.428437498.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000021.00000002.428437498.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000C.00000002.476961664.000000000454E000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.476961664.000000000454E000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1c29:$a: NanoCore 0x1c82:$a: NanoCore 0x1cbf:$a: NanoCore 0x1d38:$a: NanoCore 0x153e3:$a: NanoCore 0x153f8:$a: NanoCore 0x1542d:$a: NanoCore 0x23042:$a: NanoCore 0x23067:$a: NanoCore 0x230c0:$a: NanoCore 0x3325d:$a: NanoCore 0x33283:$a: NanoCore 0x332df:$a: NanoCore 0x40134:$a: NanoCore 0x4018d:$a: NanoCore 0x401c0:$a: NanoCore 0x403ec:$a: NanoCore 0x40468:$a: NanoCore 0x40a81:$a: NanoCore 0x40bca:$a: NanoCore 0x4109e:$a: NanoCore
0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb4c7f:$a: NanoCore 0xb4ca4:$a: NanoCore 0xb4cfd:$a: NanoCore 0xc4e9c:$a: NanoCore 0xc4ec2:$a: NanoCore 0xc4f1e:$a: NanoCore 0xd1d75:$a: NanoCore 0xd1dce:$a: NanoCore 0xd1e01:$a: NanoCore 0xd202d:$a: NanoCore 0xd20a9:$a: NanoCore 0xd26c2:$a: NanoCore 0xd280b:$a: NanoCore 0xd2cdf:$a: NanoCore 0xd2fc6:$a: NanoCore 0xd2fdd:$a: NanoCore 0xdbe81:$a: NanoCore 0xdbefd:$a: NanoCore 0xde7e0:$a: NanoCore 0xe1b92:$a: NanoCore 0xe2f4e:$a: NanoCore
00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000C.00000002.482179100.0000000006E90000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
0000000C.00000002.482179100.0000000006E90000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
0000000C.00000002.471078718.0000000001AD0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
0000000C.00000002.471078718.0000000001AD0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
00000011.00000002.398277931.0000000002B51000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000014.00000002.412689646.0000000004149000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10abd:$x1: NanoCore.ClientPluginHost 0x434dd:$x1: NanoCore.ClientPluginHost 0x10afa:$x2: IClientNetworkHost 0x4351a:$x2: IClientNetworkHost 0x1462d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4704d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000014.00000002.412689646.0000000004149000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000014.00000002.412689646.0000000004149000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10825:$a: NanoCore 0x10835:$a: NanoCore 0x10a69:$a: NanoCore 0x10a7d:$a: NanoCore 0x10abd:$a: NanoCore 0x43245:$a: NanoCore 0x43255:$a: NanoCore 0x43489:$a: NanoCore 0x4349d:$a: NanoCore 0x434dd:$a: NanoCore 0x10884:$b: ClientPlugin 0x10a86:$b: ClientPlugin 0x10ac6:$b: ClientPlugin 0x432a4:$b: ClientPlugin 0x434a6:$b: ClientPlugin 0x434e6:$b: ClientPlugin 0x109ab:$c: ProjectData 0x433cb:$c: ProjectData 0x113b2:$d: DESCrypto 0x43dd2:$d: DESCrypto 0x18d7e:$e: KeepAlive
0000000C.00000002.475401082.000000000374C000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x79cb2:$a: NanoCore 0x79cd7:$a: NanoCore 0x79d30:$a: NanoCore 0x89f27:$a: NanoCore 0x89f4d:$a: NanoCore 0x89fa9:$a: NanoCore 0x96e53:$a: NanoCore 0x96eac:$a: NanoCore 0x96edf:$a: NanoCore 0x9710b:$a: NanoCore 0x97187:$a: NanoCore 0x977a0:$a: NanoCore 0x978e9:$a: NanoCore 0x97dbd:$a: NanoCore 0x980a4:$a: NanoCore 0x980bb:$a: NanoCore 0xa0faf:$a: NanoCore 0xa102b:$a: NanoCore 0xa390e:$a: NanoCore 0xa80d0:$a: NanoCore 0xa811a:$a: NanoCore
0000000C.00000002.481910813.0000000006DB0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
0000000C.00000002.481910813.0000000006DB0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
0000000C.00000002.481995550.0000000006E00000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
0000000C.00000002.481995550.0000000006E00000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
0000001E.00000002.422052368.0000000003011000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001E.00000002.422052368.0000000003011000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x69463:$a: NanoCore 0x694bc:$a: NanoCore 0x694f9:$a: NanoCore 0x69572:$a: NanoCore 0x694c5:$b: ClientPlugin 0x69502:$b: ClientPlugin 0x69e00:$b: ClientPlugin 0x69e0d:$b: ClientPlugin 0x5f5ee:$e: KeepAlive 0x6994d:$g: LogClientMessage 0x698cd:$i: get_Connected 0x59899:$j: #=q 0x598c9:$j: #=q 0x59905:$j: #=q 0x5992d:$j: #=q 0x5995d:$j: #=q 0x5998d:$j: #=q 0x599bd:$j: #=q 0x599ed:$j: #=q 0x59a09:$j: #=q 0x59a39:$j: #=q
0000001E.00000002.417477798.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001E.00000002.417477798.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001E.00000002.417477798.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000021.00000002.431850871.0000000003FA9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000021.00000002.431850871.0000000003FA9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x435bd:$a: NanoCore 0x43616:$a: NanoCore 0x43653:$a: NanoCore 0x436cc:$a: NanoCore 0x56d77:$a: NanoCore 0x56d8c:$a: NanoCore 0x56dc1:$a: NanoCore 0x6fd73:$a: NanoCore 0x6fd88:$a: NanoCore 0x6fdbd:$a: NanoCore 0x4361f:$b: ClientPlugin 0x4365c:$b: ClientPlugin 0x43f5a:$b: ClientPlugin 0x43f67:$b: ClientPlugin 0x56b33:$b: ClientPlugin 0x56b4e:$b: ClientPlugin 0x56b7e:$b: ClientPlugin 0x56d95:$b: ClientPlugin 0x56dca:$b: ClientPlugin 0x6fb2f:$b: ClientPlugin 0x6fb4a:$b: ClientPlugin
0000000C.00000002.481497763.00000000069D0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
0000000C.00000002.481497763.00000000069D0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
0000000C.00000002.481497763.00000000069D0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.482020693.0000000006E10000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
0000000C.00000002.482020693.0000000006E10000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
0000000C.00000002.481961618.0000000006DE0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
0000000C.00000002.481961618.0000000006DE0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
0000000C.00000002.481945946.0000000006DD0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
0000000C.00000002.481945946.0000000006DD0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
00000012.00000002.404628541.0000000004099000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10abd:$x1: NanoCore.ClientPluginHost 0x434dd:$x1: NanoCore.ClientPluginHost 0x10afa:$x2: IClientNetworkHost 0x4351a:$x2: IClientNetworkHost 0x1462d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4704d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000012.00000002.404628541.0000000004099000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000012.00000002.404628541.0000000004099000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10825:$a: NanoCore 0x10835:$a: NanoCore 0x10a69:$a: NanoCore 0x10a7d:$a: NanoCore 0x10abd:$a: NanoCore 0x43245:$a: NanoCore 0x43255:$a: NanoCore 0x43489:$a: NanoCore 0x4349d:$a: NanoCore 0x434dd:$a: NanoCore 0x10884:$b: ClientPlugin 0x10a86:$b: ClientPlugin 0x10ac6:$b: ClientPlugin 0x432a4:$b: ClientPlugin 0x434a6:$b: ClientPlugin 0x434e6:$b: ClientPlugin 0x109ab:$c: ProjectData 0x433cb:$c: ProjectData 0x113b2:$d: DESCrypto 0x43dd2:$d: DESCrypto 0x18d7e:$e: KeepAlive
0000000C.00000002.467302367.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.467302367.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.467302367.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000C.00000002.482036750.0000000006E20000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
0000000C.00000002.482036750.0000000006E20000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
0000000C.00000002.473787584.00000000034F7000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4a012:$a: NanoCore 0x4a037:$a: NanoCore 0x4a090:$a: NanoCore 0x5a277:$a: NanoCore 0x5a29d:$a: NanoCore 0x5a2f9:$a: NanoCore 0x67193:$a: NanoCore 0x671ec:$a: NanoCore 0x6721f:$a: NanoCore 0x6744b:$a: NanoCore 0x674c7:$a: NanoCore 0x67ae0:$a: NanoCore 0x67c29:$a: NanoCore 0x680fd:$a: NanoCore 0x683e4:$a: NanoCore 0x683fb:$a: NanoCore 0x712df:$a: NanoCore 0x7135b:$a: NanoCore 0x73c3e:$a: NanoCore 0x783f0:$a: NanoCore 0x7843a:$a: NanoCore
0000001B.00000002.415827598.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001B.00000002.415827598.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001B.00000002.415827598.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000C.00000002.480093816.0000000005EC0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
0000000C.00000002.480093816.0000000005EC0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
0000000C.00000002.482102080.0000000006E50000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
0000000C.00000002.482102080.0000000006E50000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
0000000C.00000002.477941629.00000000048DF000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.477941629.00000000048DF000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xde9:$a: NanoCore 0xe42:$a: NanoCore 0xe7f:$a: NanoCore 0xef8:$a: NanoCore 0x145a3:$a: NanoCore 0x145b8:$a: NanoCore 0x145ed:$a: NanoCore 0x22202:$a: NanoCore 0x22227:$a: NanoCore 0x22280:$a: NanoCore 0x3241d:$a: NanoCore 0x32443:$a: NanoCore 0x3249f:$a: NanoCore 0x3f2f4:$a: NanoCore 0x3f34d:$a: NanoCore 0x3f380:$a: NanoCore 0x3f5ac:$a: NanoCore 0x3f628:$a: NanoCore 0x3fc41:$a: NanoCore 0x3fd8a:$a: NanoCore 0x4025e:$a: NanoCore
00000000.00000002.294511650.0000000003CC9000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10abd:$x1: NanoCore.ClientPluginHost 0x103cfd:$x1: NanoCore.ClientPluginHost 0x10afa:$x2: IClientNetworkHost 0x103d3a:$x2: IClientNetworkHost 0x1462d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x10786d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.294511650.0000000003CC9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.294511650.0000000003CC9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10825:$a: NanoCore 0x10835:$a: NanoCore 0x10a69:$a: NanoCore 0x10a7d:$a: NanoCore 0x10abd:$a: NanoCore 0x103a65:$a: NanoCore 0x103a75:$a: NanoCore 0x103ca9:$a: NanoCore 0x103cbd:$a: NanoCore 0x103cfd:$a: NanoCore 0x10884:$b: ClientPlugin 0x10a86:$b: ClientPlugin 0x10ac6:$b: ClientPlugin 0x103ac4:$b: ClientPlugin 0x103cc6:$b: ClientPlugin 0x103d06:$b: ClientPlugin 0x109ab:$c: ProjectData 0x103beb:$c: ProjectData 0x2d5c1b:$c: ProjectData 0x113b2:$d: DESCrypto 0x1045f2:$d: DESCrypto
0000000C.00000002.480306697.0000000006760000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
0000000C.00000002.480306697.0000000006760000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
0000000C.00000002.476599395.00000000044C9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.476599395.00000000044C9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x35bd:$a: NanoCore 0x3616:$a: NanoCore 0x3653:$a: NanoCore 0x36cc:$a: NanoCore 0x16d77:$a: NanoCore 0x16d8c:$a: NanoCore 0x16dc1:$a: NanoCore 0x2fd73:$a: NanoCore 0x2fd88:$a: NanoCore 0x2fdbd:$a: NanoCore 0x361f:$b: ClientPlugin 0x365c:$b: ClientPlugin 0x3f5a:$b: ClientPlugin 0x3f67:$b: ClientPlugin 0x16b33:$b: ClientPlugin 0x16b4e:$b: ClientPlugin 0x16b7e:$b: ClientPlugin 0x16d95:$b: ClientPlugin 0x16dca:$b: ClientPlugin 0x2fb2f:$b: ClientPlugin 0x2fb4a:$b: ClientPlugin
00000011.00000002.400817271.0000000003B59000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10abd:$x1: NanoCore.ClientPluginHost 0x434dd:$x1: NanoCore.ClientPluginHost 0x10afa:$x2: IClientNetworkHost 0x4351a:$x2: IClientNetworkHost 0x1462d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4704d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000011.00000002.400817271.0000000003B59000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000011.00000002.400817271.0000000003B59000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10825:$a: NanoCore 0x10835:$a: NanoCore 0x10a69:$a: NanoCore 0x10a7d:$a: NanoCore 0x10abd:$a: NanoCore 0x43245:$a: NanoCore 0x43255:$a: NanoCore 0x43489:$a: NanoCore 0x4349d:$a: NanoCore 0x434dd:$a: NanoCore 0x10884:$b: ClientPlugin 0x10a86:$b: ClientPlugin 0x10ac6:$b: ClientPlugin 0x432a4:$b: ClientPlugin 0x434a6:$b: ClientPlugin 0x434e6:$b: ClientPlugin 0x109ab:$c: ProjectData 0x433cb:$c: ProjectData 0x113b2:$d: DESCrypto 0x43dd2:$d: DESCrypto 0x18d7e:$e: KeepAlive
00000000.00000002.293558443.0000000002CC1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000001B.00000002.418018556.0000000003A19000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001B.00000002.418018556.0000000003A19000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x435bd:$a: NanoCore 0x43616:$a: NanoCore 0x43653:$a: NanoCore 0x436cc:$a: NanoCore 0x56d77:$a: NanoCore 0x56d8c:$a: NanoCore 0x56dc1:$a: NanoCore 0x6fd73:$a: NanoCore 0x6fd88:$a: NanoCore 0x6fdbd:$a: NanoCore 0x4361f:$b: ClientPlugin 0x4365c:$b: ClientPlugin 0x43f5a:$b: ClientPlugin 0x43f67:$b: ClientPlugin 0x56b33:$b: ClientPlugin 0x56b4e:$b: ClientPlugin 0x56b7e:$b: ClientPlugin 0x56d95:$b: ClientPlugin 0x56dca:$b: ClientPlugin 0x6fb2f:$b: ClientPlugin 0x6fb4a:$b: ClientPlugin
0000001E.00000002.423536148.0000000004019000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001E.00000002.423536148.0000000004019000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x435bd:$a: NanoCore 0x43616:$a: NanoCore 0x43653:$a: NanoCore 0x436cc:$a: NanoCore 0x56d77:$a: NanoCore 0x56d8c:$a: NanoCore 0x56dc1:$a: NanoCore 0x6fd73:$a: NanoCore 0x6fd88:$a: NanoCore 0x6fdbd:$a: NanoCore 0x4361f:$b: ClientPlugin 0x4365c:$b: ClientPlugin 0x43f5a:$b: ClientPlugin 0x43f67:$b: ClientPlugin 0x56b33:$b: ClientPlugin 0x56b4e:$b: ClientPlugin 0x56b7e:$b: ClientPlugin 0x56d95:$b: ClientPlugin 0x56dca:$b: ClientPlugin 0x6fb2f:$b: ClientPlugin 0x6fb4a:$b: ClientPlugin
0000000C.00000002.476392070.0000000004481000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.476392070.0000000004481000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x9721:$a: NanoCore 0x977a:$a: NanoCore 0x97b7:$a: NanoCore 0x9830:$a: NanoCore 0x1cedb:$a: NanoCore 0x1cef0:$a: NanoCore 0x1cf25:$a: NanoCore 0x2ab3a:$a: NanoCore 0x2ab5f:$a: NanoCore 0x2abb8:$a: NanoCore 0x9783:$b: ClientPlugin 0x97c0:$b: ClientPlugin 0xa0be:$b: ClientPlugin 0xa0cb:$b: ClientPlugin 0x1cc97:$b: ClientPlugin 0x1ccb2:$b: ClientPlugin 0x1cce2:$b: ClientPlugin 0x1cef9:$b: ClientPlugin 0x1cf2e:$b: ClientPlugin 0x2a931:$b: ClientPlugin 0x2a942:$b: ClientPlugin
00000012.00000002.400511596.0000000003091000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000C.00000002.481978911.0000000006DF0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
0000000C.00000002.481978911.0000000006DF0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
00000021.00000002.431679291.0000000002FA1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000021.00000002.431679291.0000000002FA1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x69463:$a: NanoCore 0x694bc:$a: NanoCore 0x694f9:$a: NanoCore 0x69572:$a: NanoCore 0x694c5:$b: ClientPlugin 0x69502:$b: ClientPlugin 0x69e00:$b: ClientPlugin 0x69e0d:$b: ClientPlugin 0x5f5ee:$e: KeepAlive 0x6994d:$g: LogClientMessage 0x698cd:$i: get_Connected 0x59899:$j: #=q 0x598c9:$j: #=q 0x59905:$j: #=q 0x5992d:$j: #=q 0x5995d:$j: #=q 0x5998d:$j: #=q 0x599bd:$j: #=q 0x599ed:$j: #=q 0x59a09:$j: #=q 0x59a39:$j: #=q
0000000C.00000002.472713339.0000000003481000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: iGZtra5EaP.exe PID: 5832	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb29d8:$x1: NanoCore.ClientPluginHost 0xb2a15:$x2: IClientNetworkHost 0xb5fe8:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xc0e74:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xd87f4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: iGZtra5EaP.exe PID: 5832	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: iGZtra5EaP.exe PID: 5832	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: iGZtra5EaP.exe PID: 5832	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb271f:$a: NanoCore 0xb272f:$a: NanoCore 0xb27a4:$a: NanoCore 0xb27b3:$a: NanoCore 0xb2984:$a: NanoCore 0xb2998:$a: NanoCore 0xb29d8:$a: NanoCore 0xbd4de:$a: NanoCore 0xbd4f0:$a: NanoCore 0xbd52c:$a: NanoCore 0xd4e5e:$a: NanoCore 0xd4e70:$a: NanoCore 0xd4eac:$a: NanoCore 0xb2743:$b: ClientPlugin 0xb27fd:$b: ClientPlugin 0xb29a1:$b: ClientPlugin 0xb29e1:$b: ClientPlugin 0xbd4f9:$b: ClientPlugin 0xbd535:$b: ClientPlugin 0xd4e79:$b: ClientPlugin 0xd4eb5:$b: ClientPlugin
Process Memory Space: iGZtra5EaP.exe PID: 4720	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x7599:$x1: NanoCore.ClientPluginHost 0x75c3:$x2: IClientNetworkHost 0x1e061d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1ea966:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: iGZtra5EaP.exe PID: 4720	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: iGZtra5EaP.exe PID: 4720	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x7574:$a: NanoCore 0x7599:$a: NanoCore 0x75f2:$a: NanoCore 0xabb7:$a: NanoCore 0xabda:$a: NanoCore 0xac2f:$a: NanoCore 0x15b83:$a: NanoCore 0x15ba7:$a: NanoCore 0x15bff:$a: NanoCore 0x1d075:$a: NanoCore 0x1d0ce:$a: NanoCore 0x1d0f4:$a: NanoCore 0x1d436:$a: NanoCore 0x1d457:$a: NanoCore 0x1d49a:$a: NanoCore 0x1d4ed:$a: NanoCore 0x1d51c:$a: NanoCore 0x1d722:$a: NanoCore 0x1d796:$a: NanoCore 0x1dd4d:$a: NanoCore 0x1de89:$a: NanoCore
Process Memory Space: iGZtra5EaP.exe PID: 1288	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dhcpmon.exe PID: 496	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dhcpmon.exe PID: 5756	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: iGZtra5EaP.exe PID: 5016	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x15d14:$x1: NanoCore.ClientPluginHost 0x15d2e:$x2: IClientNetworkHost 0x31341:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3bdcb:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: iGZtra5EaP.exe PID: 5016	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: iGZtra5EaP.exe PID: 5016	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x74e:$a: NanoCore 0x7a9:$a: NanoCore 0x81d:$a: NanoCore 0x15c7e:$a: NanoCore 0x15cd7:$a: NanoCore 0x15d14:$a: NanoCore 0x15d8d:$a: NanoCore 0x1651b:$a: NanoCore 0x1656e:$a: NanoCore 0x165a7:$a: NanoCore 0x1661a:$a: NanoCore 0x1711f:$a: NanoCore 0x2dcb8:$a: NanoCore 0x2dd13:$a: NanoCore 0x2dd22:$a: NanoCore 0x38435:$a: NanoCore 0x38447:$a: NanoCore 0x38483:$a: NanoCore 0x4abf9:$a: NanoCore 0x4ac0c:$a: NanoCore 0x4ac3e:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 3008	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2b842:$x1: NanoCore.ClientPluginHost 0x2b85c:$x2: IClientNetworkHost 0x35232:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3fcbc:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 3008	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 3008	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x11cf4:$a: NanoCore 0x11d08:$a: NanoCore 0x12ae2:$a: NanoCore 0x16649:$a: NanoCore 0x166a4:$a: NanoCore 0x16718:$a: NanoCore 0x2b7ac:$a: NanoCore 0x2b805:$a: NanoCore 0x2b842:$a: NanoCore 0x2b8bb:$a: NanoCore 0x2bda8:$a: NanoCore 0x2bdfb:$a: NanoCore 0x2be34:$a: NanoCore 0x2bea7:$a: NanoCore 0x2c9ac:$a: NanoCore 0x31c04:$a: NanoCore 0x31c13:$a: NanoCore 0x3c326:$a: NanoCore 0x3c338:$a: NanoCore 0x3c374:$a: NanoCore 0x4df5d:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 5200	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3fb2:$x1: NanoCore.ClientPluginHost 0x3fef:$x2: IClientNetworkHost 0x7ae0:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x12b66:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 5200	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 5200	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3c86:$a: NanoCore 0x3c96:$a: NanoCore 0x3d4e:$a: NanoCore 0x3d5d:$a: NanoCore 0x3f5e:$a: NanoCore 0x3f72:$a: NanoCore 0x3fb2:$a: NanoCore 0xf1d0:$a: NanoCore 0xf1e2:$a: NanoCore 0xf21e:$a: NanoCore 0x2e682:$a: NanoCore 0x2e8eb:$a: NanoCore 0x2e93e:$a: NanoCore 0x2e977:$a: NanoCore 0x2e9ea:$a: NanoCore 0x355a6:$a: NanoCore 0x355b9:$a: NanoCore 0x355eb:$a: NanoCore 0x3b241:$a: NanoCore 0x3b254:$a: NanoCore 0x3b286:$a: NanoCore
Click to see the 96 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.2.iGZtra5EaP.exe.6de0000.35.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
12.2.iGZtra5EaP.exe.6de0000.35.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.6e10000.38.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6e10000.38.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
33.2.dhcpmon.exe.3009684.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
33.2.dhcpmon.exe.3009684.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.6760000.28.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6760000.28.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
30.2.dhcpmon.exe.4060614.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
30.2.dhcpmon.exe.4060614.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
30.2.dhcpmon.exe.4060614.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
27.2.iGZtra5EaP.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
27.2.iGZtra5EaP.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
27.2.iGZtra5EaP.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
27.2.iGZtra5EaP.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
27.2.iGZtra5EaP.exe.3a64c3d.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24180:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241ad:$x2: IClientNetworkHost
27.2.iGZtra5EaP.exe.3a64c3d.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24180:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2525b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x2419a:$s5: IClientLoggingHost
27.2.iGZtra5EaP.exe.3a64c3d.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.6e40000.40.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6e40000.40.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
17.2.iGZtra5EaP.exe.3b59930.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
17.2.iGZtra5EaP.exe.3b59930.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
17.2.iGZtra5EaP.exe.3b59930.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
17.2.iGZtra5EaP.exe.3b59930.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
20.2.dhcpmon.exe.4149930.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.dhcpmon.exe.4149930.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.dhcpmon.exe.4149930.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
12.2.iGZtra5EaP.exe.44d4c3d.15.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24180:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241ad:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.44d4c3d.15.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24180:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2525b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x2419a:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.44d4c3d.15.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.69d4629.30.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.69d4629.30.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.69d4629.30.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.6e54c9f.43.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6e54c9f.43.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
33.2.dhcpmon.exe.3ff0614.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287a9:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287d6:$x2: IClientNetworkHost
33.2.dhcpmon.exe.3ff0614.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287a9:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29884:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287c3:$s5: IClientLoggingHost
33.2.dhcpmon.exe.3ff0614.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.6e90000.44.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6e90000.44.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x41ee:$x2: NanoCore.ClientPluginHost 0x7641:$s4: PipeCreated 0x4218:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.6e10000.38.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6e10000.38.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
30.2.dhcpmon.exe.405b7de.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5df:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d60c:$x2: IClientNetworkHost
30.2.dhcpmon.exe.405b7de.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5df:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6ba:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5f9:$s5: IClientLoggingHost
30.2.dhcpmon.exe.405b7de.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
30.2.dhcpmon.exe.405b7de.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d595:$a: NanoCore 0x2d5aa:$a: NanoCore 0x2d5df:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d351:$b: ClientPlugin 0x2d36c:$b: ClientPlugin
12.2.iGZtra5EaP.exe.37e1a28.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0xb587:$x1: NanoCore.ClientPluginHost 0x126a8:$x1: NanoCore.ClientPluginHost 0x18985:$x1: NanoCore.ClientPluginHost 0x22fe7:$x1: NanoCore.ClientPluginHost 0x2d467:$x1: NanoCore.ClientPluginHost 0x3849d:$x1: NanoCore.ClientPluginHost 0x44297:$x1: NanoCore.ClientPluginHost 0x50082:$x1: NanoCore.ClientPluginHost 0x62083:$x1: NanoCore.ClientPluginHost 0x66ea3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost 0xb5c0:$x2: IClientNetworkHost 0x189be:$x2: IClientNetworkHost 0x23144:$x2: IClientNetworkHost 0x2d4a0:$x2: IClientNetworkHost 0x384b7:$x2: IClientNetworkHost 0x442b1:$x2: IClientNetworkHost 0x500bf:$x2: IClientNetworkHost 0x6209d:$x2: IClientNetworkHost 0x66ebd:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.37e1a28.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0xb587:$x2: NanoCore.ClientPluginHost 0x126a8:$x2: NanoCore.ClientPluginHost 0x18985:$x2: NanoCore.ClientPluginHost 0x22fe7:$x2: NanoCore.ClientPluginHost 0x2d467:$x2: NanoCore.ClientPluginHost 0x3849d:$x2: NanoCore.ClientPluginHost 0x44297:$x2: NanoCore.ClientPluginHost 0x50082:$x2: NanoCore.ClientPluginHost 0x62083:$x2: NanoCore.ClientPluginHost 0x66ea3:$x2: NanoCore.ClientPluginHost 0x23f3d:$s3: PipeExists 0x6246f:$s3: PipeExists 0x6728f:$s3: PipeExists 0x1800:$s4: PipeCreated 0xb68b:$s4: PipeCreated 0x12786:$s4: PipeCreated 0x18aa0:$s4: PipeCreated 0x231dd:$s4: PipeCreated 0x2d5b2:$s4: PipeCreated 0x394d2:$s4: PipeCreated
12.2.iGZtra5EaP.exe.37e1a28.8.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb587:$a: NanoCore 0xb603:$a: NanoCore 0xdee6:$a: NanoCore 0x126a8:$a: NanoCore 0x126f2:$a: NanoCore 0x1334c:$a: NanoCore 0x18985:$a: NanoCore 0x189ff:$a: NanoCore 0x22fe7:$a: NanoCore 0x230d1:$a: NanoCore 0x23f48:$a: NanoCore
12.2.iGZtra5EaP.exe.37cd3a8.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.37cd3a8.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.6dd0000.34.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6dd0000.34.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.448e778.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x1d3e7:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x1d411:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.448e778.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x1d3e7:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x1f297:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.448e778.11.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.34b6ba0.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.34b6ba0.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.6e20000.39.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6e20000.39.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
30.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
30.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
30.2.dhcpmon.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
30.2.dhcpmon.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
12.2.iGZtra5EaP.exe.1ad0000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.1ad0000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
33.2.dhcpmon.exe.3feb7de.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5df:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d60c:$x2: IClientNetworkHost
33.2.dhcpmon.exe.3feb7de.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5df:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6ba:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5f9:$s5: IClientLoggingHost
33.2.dhcpmon.exe.3feb7de.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
33.2.dhcpmon.exe.3feb7de.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d595:$a: NanoCore 0x2d5aa:$a: NanoCore 0x2d5df:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d351:$b: ClientPlugin 0x2d36c:$b: ClientPlugin
12.2.iGZtra5EaP.exe.48fc66c.23.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.48fc66c.23.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
12.2.iGZtra5EaP.exe.470d0e9.21.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.470d0e9.21.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
12.2.iGZtra5EaP.exe.69d0000.31.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.69d0000.31.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.69d0000.31.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.353c47c.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14e21:$x1: NanoCore.ClientPluginHost 0x21fcf:$x1: NanoCore.ClientPluginHost 0x2be63:$x1: NanoCore.ClientPluginHost 0x32f74:$x1: NanoCore.ClientPluginHost 0x39241:$x1: NanoCore.ClientPluginHost 0x43893:$x1: NanoCore.ClientPluginHost 0x4dd03:$x1: NanoCore.ClientPluginHost 0x58d29:$x1: NanoCore.ClientPluginHost 0x64b13:$x1: NanoCore.ClientPluginHost 0x708d2:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e4e:$x2: IClientNetworkHost 0x22008:$x2: IClientNetworkHost 0x2be9c:$x2: IClientNetworkHost 0x3927a:$x2: IClientNetworkHost 0x439f0:$x2: IClientNetworkHost 0x4dd3c:$x2: IClientNetworkHost 0x58d43:$x2: IClientNetworkHost 0x64b2d:$x2: IClientNetworkHost 0x7090f:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.353c47c.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x14e21:$x2: NanoCore.ClientPluginHost 0x21fcf:$x2: NanoCore.ClientPluginHost 0x2be63:$x2: NanoCore.ClientPluginHost 0x32f74:$x2: NanoCore.ClientPluginHost 0x39241:$x2: NanoCore.ClientPluginHost 0x43893:$x2: NanoCore.ClientPluginHost 0x4dd03:$x2: NanoCore.ClientPluginHost 0x58d29:$x2: NanoCore.ClientPluginHost 0x64b13:$x2: NanoCore.ClientPluginHost 0x708d2:$x2: NanoCore.ClientPluginHost 0x15df0:$s2: FileCommand 0x447e9:$s3: PipeExists 0x6a6b:$s4: PipeCreated 0x1a7f2:$s4: PipeCreated 0x220ec:$s4: PipeCreated 0x2bf67:$s4: PipeCreated 0x33052:$s4: PipeCreated 0x3935c:$s4: PipeCreated 0x43a89:$s4: PipeCreated 0x4de4e:$s4: PipeCreated
12.2.iGZtra5EaP.exe.353c47c.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14dfb:$a: NanoCore 0x14e21:$a: NanoCore 0x14e7d:$a: NanoCore 0x21d17:$a: NanoCore 0x21d70:$a: NanoCore 0x21da3:$a: NanoCore 0x21fcf:$a: NanoCore 0x2204b:$a: NanoCore 0x22664:$a: NanoCore 0x227ad:$a: NanoCore 0x22c81:$a: NanoCore 0x22f68:$a: NanoCore 0x22f7f:$a: NanoCore 0x2be63:$a: NanoCore 0x2bedf:$a: NanoCore 0x2e7c2:$a: NanoCore 0x32f74:$a: NanoCore 0x32fbe:$a: NanoCore
12.2.iGZtra5EaP.exe.48e3e40.25.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.48e3e40.25.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.48e3e40.25.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.dhcpmon.exe.4099930.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
18.2.dhcpmon.exe.4099930.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.dhcpmon.exe.4099930.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
12.2.iGZtra5EaP.exe.6db0000.33.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6db0000.33.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.69d0000.31.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.69d0000.31.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.69d0000.31.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.4492da1.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x18dbe:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x18de8:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.4492da1.12.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x18dbe:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x1ac6e:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.4492da1.12.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.4553c80.19.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x1d3e7:$x1: NanoCore.ClientPluginHost 0x2d603:$x1: NanoCore.ClientPluginHost 0x3a76c:$x1: NanoCore.ClientPluginHost 0x3fe5f:$x1: NanoCore.ClientPluginHost 0x460e8:$x1: NanoCore.ClientPluginHost 0x506f7:$x1: NanoCore.ClientPluginHost 0x5ab22:$x1: NanoCore.ClientPluginHost 0x65aff:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x1d411:$x2: IClientNetworkHost 0x2d630:$x2: IClientNetworkHost 0x3a7a5:$x2: IClientNetworkHost 0x46121:$x2: IClientNetworkHost 0x50854:$x2: IClientNetworkHost 0x5ab5b:$x2: IClientNetworkHost 0x65b19:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.4553c80.19.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x1d3e7:$x2: NanoCore.ClientPluginHost 0x2d603:$x2: NanoCore.ClientPluginHost 0x3a76c:$x2: NanoCore.ClientPluginHost 0x3fe5f:$x2: NanoCore.ClientPluginHost 0x460e8:$x2: NanoCore.ClientPluginHost 0x506f7:$x2: NanoCore.ClientPluginHost 0x5ab22:$x2: NanoCore.ClientPluginHost 0x65aff:$x2: NanoCore.ClientPluginHost 0x2e5d2:$s2: FileCommand 0x5164d:$s3: PipeExists 0x10888:$s4: PipeCreated 0x1f297:$s4: PipeCreated 0x32fd4:$s4: PipeCreated 0x3a889:$s4: PipeCreated 0x3ff3d:$s4: PipeCreated 0x46203:$s4: PipeCreated 0x508ed:$s4: PipeCreated 0x5ac6d:$s4: PipeCreated 0x66b34:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.4553c80.19.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.4553c80.19.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf763:$a: NanoCore 0xf778:$a: NanoCore 0xf7ad:$a: NanoCore 0x1d3c2:$a: NanoCore 0x1d3e7:$a: NanoCore 0x1d440:$a: NanoCore 0x2d5dd:$a: NanoCore 0x2d603:$a: NanoCore 0x2d65f:$a: NanoCore 0x3a4b4:$a: NanoCore 0x3a50d:$a: NanoCore 0x3a540:$a: NanoCore 0x3a76c:$a: NanoCore 0x3a7e8:$a: NanoCore 0x3ae01:$a: NanoCore 0x3af4a:$a: NanoCore 0x3b41e:$a: NanoCore 0x3b705:$a: NanoCore 0x3b71c:$a: NanoCore 0x3eaa5:$a: NanoCore 0x3fe5f:$a: NanoCore
12.2.iGZtra5EaP.exe.44d0614.14.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.44d0614.14.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.44d0614.14.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
27.2.iGZtra5EaP.exe.3a60614.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287a9:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287d6:$x2: IClientNetworkHost
27.2.iGZtra5EaP.exe.3a60614.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287a9:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29884:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287c3:$s5: IClientLoggingHost
27.2.iGZtra5EaP.exe.3a60614.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.dhcpmon.exe.4149930.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.dhcpmon.exe.4149930.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
20.2.dhcpmon.exe.4149930.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.dhcpmon.exe.4149930.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
12.2.iGZtra5EaP.exe.6e5e8a4.41.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6e5e8a4.41.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
27.2.iGZtra5EaP.exe.3a5b7de.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5df:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d60c:$x2: IClientNetworkHost
27.2.iGZtra5EaP.exe.3a5b7de.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5df:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6ba:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5f9:$s5: IClientLoggingHost
27.2.iGZtra5EaP.exe.3a5b7de.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
27.2.iGZtra5EaP.exe.3a5b7de.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d595:$a: NanoCore 0x2d5aa:$a: NanoCore 0x2d5df:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d351:$b: ClientPlugin 0x2d36c:$b: ClientPlugin
30.2.dhcpmon.exe.3079684.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
30.2.dhcpmon.exe.3079684.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
27.2.iGZtra5EaP.exe.2a7956c.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
27.2.iGZtra5EaP.exe.2a7956c.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.6df0000.36.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6df0000.36.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.6e20000.39.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6e20000.39.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.1ad0000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.1ad0000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
12.2.iGZtra5EaP.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.2.iGZtra5EaP.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
30.2.dhcpmon.exe.4064c3d.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24180:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241ad:$x2: IClientNetworkHost
30.2.dhcpmon.exe.4064c3d.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24180:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2525b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x2419a:$s5: IClientLoggingHost
30.2.dhcpmon.exe.4064c3d.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.6e00000.37.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6e00000.37.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.6e90000.44.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6e90000.44.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.6e40000.40.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6e40000.40.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.6e00000.37.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3deb:$x1: NanoCore.ClientPluginHost 0x3f48:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6e00000.37.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3deb:$x2: NanoCore.ClientPluginHost 0x4d41:$s3: PipeExists 0x3fe1:$s4: PipeCreated 0x3e05:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.4489942.13.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2221d:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x22247:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.4489942.13.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2221d:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x240cd:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.4489942.13.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.4489942.13.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x221f8:$a: NanoCore 0x2221d:$a: NanoCore 0x22276:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x21fef:$b: ClientPlugin 0x22000:$b: ClientPlugin
12.2.iGZtra5EaP.exe.454ee4a.18.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2221d:$x1: NanoCore.ClientPluginHost 0x32439:$x1: NanoCore.ClientPluginHost 0x3f5a2:$x1: NanoCore.ClientPluginHost 0x44c95:$x1: NanoCore.ClientPluginHost 0x4af1e:$x1: NanoCore.ClientPluginHost 0x5552d:$x1: NanoCore.ClientPluginHost 0x5f958:$x1: NanoCore.ClientPluginHost 0x6a935:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x22247:$x2: IClientNetworkHost 0x32466:$x2: IClientNetworkHost 0x3f5db:$x2: IClientNetworkHost 0x4af57:$x2: IClientNetworkHost 0x5568a:$x2: IClientNetworkHost 0x5f991:$x2: IClientNetworkHost 0x6a94f:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.454ee4a.18.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2221d:$x2: NanoCore.ClientPluginHost 0x32439:$x2: NanoCore.ClientPluginHost 0x3f5a2:$x2: NanoCore.ClientPluginHost 0x44c95:$x2: NanoCore.ClientPluginHost 0x4af1e:$x2: NanoCore.ClientPluginHost 0x5552d:$x2: NanoCore.ClientPluginHost 0x5f958:$x2: NanoCore.ClientPluginHost 0x6a935:$x2: NanoCore.ClientPluginHost 0x33408:$s2: FileCommand 0x1261:$s3: PipeExists 0x56483:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x240cd:$s4: PipeCreated 0x37e0a:$s4: PipeCreated 0x3f6bf:$s4: PipeCreated 0x44d73:$s4: PipeCreated 0x4b039:$s4: PipeCreated 0x55723:$s4: PipeCreated
12.2.iGZtra5EaP.exe.454ee4a.18.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.454ee4a.18.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x221f8:$a: NanoCore 0x2221d:$a: NanoCore 0x22276:$a: NanoCore 0x32413:$a: NanoCore 0x32439:$a: NanoCore 0x32495:$a: NanoCore 0x3f2ea:$a: NanoCore 0x3f343:$a: NanoCore 0x3f376:$a: NanoCore 0x3f5a2:$a: NanoCore 0x3f61e:$a: NanoCore 0x3fc37:$a: NanoCore 0x3fd80:$a: NanoCore 0x40254:$a: NanoCore
12.2.iGZtra5EaP.exe.4553c80.19.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.4553c80.19.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.4553c80.19.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.6760000.28.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6760000.28.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.353c47c.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.353c47c.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
12.2.iGZtra5EaP.exe.44cb7de.16.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5df:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d60c:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.44cb7de.16.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5df:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6ba:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5f9:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.44cb7de.16.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.44cb7de.16.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d595:$a: NanoCore 0x2d5aa:$a: NanoCore 0x2d5df:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d351:$b: ClientPlugin 0x2d36c:$b: ClientPlugin
27.2.iGZtra5EaP.exe.3a60614.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
27.2.iGZtra5EaP.exe.3a60614.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
27.2.iGZtra5EaP.exe.3a60614.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.48e3e40.25.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.48e3e40.25.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf763:$a: NanoCore 0xf778:$a: NanoCore 0xf7ad:$a: NanoCore 0x1d3c2:$a: NanoCore 0x1d3e7:$a: NanoCore 0x1d440:$a: NanoCore 0x2d5dd:$a: NanoCore 0x2d603:$a: NanoCore 0x2d65f:$a: NanoCore 0x3a4b4:$a: NanoCore 0x3a50d:$a: NanoCore 0x3a540:$a: NanoCore 0x3a76c:$a: NanoCore 0x3a7e8:$a: NanoCore 0x3ae01:$a: NanoCore 0x3af4a:$a: NanoCore 0x3b41e:$a: NanoCore 0x3b705:$a: NanoCore 0x3b71c:$a: NanoCore 0x3eaa5:$a: NanoCore 0x3fe5f:$a: NanoCore
33.2.dhcpmon.exe.3ff4c3d.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24180:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241ad:$x2: IClientNetworkHost
33.2.dhcpmon.exe.3ff4c3d.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24180:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2525b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x2419a:$s5: IClientLoggingHost
33.2.dhcpmon.exe.3ff4c3d.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.448e778.11.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.448e778.11.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.448e778.11.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.45582a9.17.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x18dbe:$x1: NanoCore.ClientPluginHost 0x28fda:$x1: NanoCore.ClientPluginHost 0x36143:$x1: NanoCore.ClientPluginHost 0x3b836:$x1: NanoCore.ClientPluginHost 0x41abf:$x1: NanoCore.ClientPluginHost 0x4c0ce:$x1: NanoCore.ClientPluginHost 0x564f9:$x1: NanoCore.ClientPluginHost 0x614d6:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x18de8:$x2: IClientNetworkHost 0x29007:$x2: IClientNetworkHost 0x3617c:$x2: IClientNetworkHost 0x41af8:$x2: IClientNetworkHost 0x4c22b:$x2: IClientNetworkHost 0x56532:$x2: IClientNetworkHost 0x614f0:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.45582a9.17.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x18dbe:$x2: NanoCore.ClientPluginHost 0x28fda:$x2: NanoCore.ClientPluginHost 0x36143:$x2: NanoCore.ClientPluginHost 0x3b836:$x2: NanoCore.ClientPluginHost 0x41abf:$x2: NanoCore.ClientPluginHost 0x4c0ce:$x2: NanoCore.ClientPluginHost 0x564f9:$x2: NanoCore.ClientPluginHost 0x614d6:$x2: NanoCore.ClientPluginHost 0x29fa9:$s2: FileCommand 0x4d024:$s3: PipeExists 0xc25f:$s4: PipeCreated 0x1ac6e:$s4: PipeCreated 0x2e9ab:$s4: PipeCreated 0x36260:$s4: PipeCreated 0x3b914:$s4: PipeCreated 0x41bda:$s4: PipeCreated 0x4c2c4:$s4: PipeCreated 0x56644:$s4: PipeCreated 0x6250b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.45582a9.17.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.45582a9.17.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb13a:$a: NanoCore 0xb14f:$a: NanoCore 0xb184:$a: NanoCore 0x18d99:$a: NanoCore 0x18dbe:$a: NanoCore 0x18e17:$a: NanoCore 0x28fb4:$a: NanoCore 0x28fda:$a: NanoCore 0x29036:$a: NanoCore 0x35e8b:$a: NanoCore 0x35ee4:$a: NanoCore 0x35f17:$a: NanoCore 0x36143:$a: NanoCore 0x361bf:$a: NanoCore 0x367d8:$a: NanoCore 0x36921:$a: NanoCore 0x36df5:$a: NanoCore 0x370dc:$a: NanoCore 0x370f3:$a: NanoCore 0x3a47c:$a: NanoCore 0x3b836:$a: NanoCore
12.2.iGZtra5EaP.exe.35486f8.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.35486f8.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
18.2.dhcpmon.exe.4099930.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
18.2.dhcpmon.exe.4099930.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
18.2.dhcpmon.exe.4099930.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.dhcpmon.exe.4099930.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
12.2.iGZtra5EaP.exe.37c111c.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.37c111c.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
30.2.dhcpmon.exe.4060614.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287a9:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287d6:$x2: IClientNetworkHost
30.2.dhcpmon.exe.4060614.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287a9:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29884:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287c3:$s5: IClientLoggingHost
30.2.dhcpmon.exe.4060614.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
33.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
33.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
33.2.dhcpmon.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
33.2.dhcpmon.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
33.2.dhcpmon.exe.3ff0614.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
33.2.dhcpmon.exe.3ff0614.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
33.2.dhcpmon.exe.3ff0614.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.471931d.20.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.471931d.20.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.5ec0000.27.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.5ec0000.27.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.35486f8.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d53:$x1: NanoCore.ClientPluginHost 0x1fbe7:$x1: NanoCore.ClientPluginHost 0x26cf8:$x1: NanoCore.ClientPluginHost 0x2cfc5:$x1: NanoCore.ClientPluginHost 0x37617:$x1: NanoCore.ClientPluginHost 0x41a87:$x1: NanoCore.ClientPluginHost 0x4caad:$x1: NanoCore.ClientPluginHost 0x58897:$x1: NanoCore.ClientPluginHost 0x64656:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d8c:$x2: IClientNetworkHost 0x1fc20:$x2: IClientNetworkHost 0x2cffe:$x2: IClientNetworkHost 0x37774:$x2: IClientNetworkHost 0x41ac0:$x2: IClientNetworkHost 0x4cac7:$x2: IClientNetworkHost 0x588b1:$x2: IClientNetworkHost 0x64693:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.35486f8.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x15d53:$x2: NanoCore.ClientPluginHost 0x1fbe7:$x2: NanoCore.ClientPluginHost 0x26cf8:$x2: NanoCore.ClientPluginHost 0x2cfc5:$x2: NanoCore.ClientPluginHost 0x37617:$x2: NanoCore.ClientPluginHost 0x41a87:$x2: NanoCore.ClientPluginHost 0x4caad:$x2: NanoCore.ClientPluginHost 0x58897:$x2: NanoCore.ClientPluginHost 0x64656:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0x3856d:$s3: PipeExists 0xe576:$s4: PipeCreated 0x15e70:$s4: PipeCreated 0x1fceb:$s4: PipeCreated 0x26dd6:$s4: PipeCreated 0x2d0e0:$s4: PipeCreated 0x3780d:$s4: PipeCreated 0x41bd2:$s4: PipeCreated 0x4dae2:$s4: PipeCreated 0x5a642:$s4: PipeCreated
12.2.iGZtra5EaP.exe.35486f8.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a9b:$a: NanoCore 0x15af4:$a: NanoCore 0x15b27:$a: NanoCore 0x15d53:$a: NanoCore 0x15dcf:$a: NanoCore 0x163e8:$a: NanoCore 0x16531:$a: NanoCore 0x16a05:$a: NanoCore 0x16cec:$a: NanoCore 0x16d03:$a: NanoCore 0x1fbe7:$a: NanoCore 0x1fc63:$a: NanoCore 0x22546:$a: NanoCore 0x26cf8:$a: NanoCore 0x26d42:$a: NanoCore 0x2799c:$a: NanoCore 0x2cfc5:$a: NanoCore 0x2d03f:$a: NanoCore
0.2.iGZtra5EaP.exe.3cc9930.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.iGZtra5EaP.exe.3cc9930.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.iGZtra5EaP.exe.3cc9930.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.iGZtra5EaP.exe.3cc9930.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.iGZtra5EaP.exe.3cfc550.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd07ad:$x1: NanoCore.ClientPluginHost 0xd07ea:$x2: IClientNetworkHost 0xd431d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.iGZtra5EaP.exe.3cfc550.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.iGZtra5EaP.exe.3cfc550.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xd0515:$a: NanoCore 0xd0525:$a: NanoCore 0xd0759:$a: NanoCore 0xd076d:$a: NanoCore 0xd07ad:$a: NanoCore 0xd0574:$b: ClientPlugin 0xd0776:$b: ClientPlugin 0xd07b6:$b: ClientPlugin 0xd069b:$c: ProjectData 0x2a26cb:$c: ProjectData 0xd10a2:$d: DESCrypto 0xd8a6e:$e: KeepAlive 0xd6a5c:$g: LogClientMessage 0xd2c57:$i: get_Connected 0xd13d8:$j: #=q 0xd1408:$j: #=q 0xd1424:$j: #=q 0xd1454:$j: #=q 0xd1470:$j: #=q 0xd148c:$j: #=q 0xd14bc:$j: #=q
12.2.iGZtra5EaP.exe.6e50000.42.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6e50000.42.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.6dd0000.34.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3f0b:$x1: NanoCore.ClientPluginHost 0x3f44:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6dd0000.34.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3f0b:$x2: NanoCore.ClientPluginHost 0x400f:$s4: PipeCreated 0x3f25:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.6e50000.42.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6e50000.42.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.355cd68.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0xb577:$x1: NanoCore.ClientPluginHost 0x12688:$x1: NanoCore.ClientPluginHost 0x18955:$x1: NanoCore.ClientPluginHost 0x22fa7:$x1: NanoCore.ClientPluginHost 0x2d417:$x1: NanoCore.ClientPluginHost 0x3843d:$x1: NanoCore.ClientPluginHost 0x44227:$x1: NanoCore.ClientPluginHost 0x4ffe6:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost 0xb5b0:$x2: IClientNetworkHost 0x1898e:$x2: IClientNetworkHost 0x23104:$x2: IClientNetworkHost 0x2d450:$x2: IClientNetworkHost 0x38457:$x2: IClientNetworkHost 0x44241:$x2: IClientNetworkHost 0x50023:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.355cd68.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0xb577:$x2: NanoCore.ClientPluginHost 0x12688:$x2: NanoCore.ClientPluginHost 0x18955:$x2: NanoCore.ClientPluginHost 0x22fa7:$x2: NanoCore.ClientPluginHost 0x2d417:$x2: NanoCore.ClientPluginHost 0x3843d:$x2: NanoCore.ClientPluginHost 0x44227:$x2: NanoCore.ClientPluginHost 0x4ffe6:$x2: NanoCore.ClientPluginHost 0x23efd:$s3: PipeExists 0x1800:$s4: PipeCreated 0xb67b:$s4: PipeCreated 0x12766:$s4: PipeCreated 0x18a70:$s4: PipeCreated 0x2319d:$s4: PipeCreated 0x2d562:$s4: PipeCreated 0x39472:$s4: PipeCreated 0x45fd2:$s4: PipeCreated 0x53439:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost 0xb591:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.355cd68.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb577:$a: NanoCore 0xb5f3:$a: NanoCore 0xded6:$a: NanoCore 0x12688:$a: NanoCore 0x126d2:$a: NanoCore 0x1332c:$a: NanoCore 0x18955:$a: NanoCore 0x189cf:$a: NanoCore 0x22fa7:$a: NanoCore 0x23091:$a: NanoCore 0x23f08:$a: NanoCore
12.2.iGZtra5EaP.exe.6df0000.36.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6df0000.36.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x605:$x2: NanoCore.ClientPluginHost 0x720:$s4: PipeCreated 0x61f:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.37c111c.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14e31:$x1: NanoCore.ClientPluginHost 0x21fef:$x1: NanoCore.ClientPluginHost 0x2be93:$x1: NanoCore.ClientPluginHost 0x32fb4:$x1: NanoCore.ClientPluginHost 0x39291:$x1: NanoCore.ClientPluginHost 0x438f3:$x1: NanoCore.ClientPluginHost 0x4dd73:$x1: NanoCore.ClientPluginHost 0x58da9:$x1: NanoCore.ClientPluginHost 0x64ba3:$x1: NanoCore.ClientPluginHost 0x7098e:$x1: NanoCore.ClientPluginHost 0x8298f:$x1: NanoCore.ClientPluginHost 0x877af:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e5e:$x2: IClientNetworkHost 0x22028:$x2: IClientNetworkHost 0x2becc:$x2: IClientNetworkHost 0x392ca:$x2: IClientNetworkHost 0x43a50:$x2: IClientNetworkHost 0x4ddac:$x2: IClientNetworkHost 0x58dc3:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.37c111c.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x14e31:$x2: NanoCore.ClientPluginHost 0x21fef:$x2: NanoCore.ClientPluginHost 0x2be93:$x2: NanoCore.ClientPluginHost 0x32fb4:$x2: NanoCore.ClientPluginHost 0x39291:$x2: NanoCore.ClientPluginHost 0x438f3:$x2: NanoCore.ClientPluginHost 0x4dd73:$x2: NanoCore.ClientPluginHost 0x58da9:$x2: NanoCore.ClientPluginHost 0x64ba3:$x2: NanoCore.ClientPluginHost 0x7098e:$x2: NanoCore.ClientPluginHost 0x8298f:$x2: NanoCore.ClientPluginHost 0x877af:$x2: NanoCore.ClientPluginHost 0x15e00:$s2: FileCommand 0x44849:$s3: PipeExists 0x82d7b:$s3: PipeExists 0x87b9b:$s3: PipeExists 0x6a6b:$s4: PipeCreated 0x1a802:$s4: PipeCreated 0x2210c:$s4: PipeCreated 0x2bf97:$s4: PipeCreated
12.2.iGZtra5EaP.exe.37c111c.10.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14e0b:$a: NanoCore 0x14e31:$a: NanoCore 0x14e8d:$a: NanoCore 0x21d37:$a: NanoCore 0x21d90:$a: NanoCore 0x21dc3:$a: NanoCore 0x21fef:$a: NanoCore 0x2206b:$a: NanoCore 0x22684:$a: NanoCore 0x227cd:$a: NanoCore 0x22ca1:$a: NanoCore 0x22f88:$a: NanoCore 0x22f9f:$a: NanoCore 0x2be93:$a: NanoCore 0x2bf0f:$a: NanoCore 0x2e7f2:$a: NanoCore 0x32fb4:$a: NanoCore 0x32ffe:$a: NanoCore
12.2.iGZtra5EaP.exe.44d0614.14.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287a9:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287d6:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.44d0614.14.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287a9:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29884:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287c3:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.44d0614.14.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.48fc66c.23.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14dd7:$x1: NanoCore.ClientPluginHost 0x21f40:$x1: NanoCore.ClientPluginHost 0x27633:$x1: NanoCore.ClientPluginHost 0x2d8bc:$x1: NanoCore.ClientPluginHost 0x37ecb:$x1: NanoCore.ClientPluginHost 0x422f6:$x1: NanoCore.ClientPluginHost 0x4d2d3:$x1: NanoCore.ClientPluginHost 0x59075:$x1: NanoCore.ClientPluginHost 0x7df79:$x1: NanoCore.ClientPluginHost 0x8d3b9:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e04:$x2: IClientNetworkHost 0x21f79:$x2: IClientNetworkHost 0x2d8f5:$x2: IClientNetworkHost 0x38028:$x2: IClientNetworkHost 0x4232f:$x2: IClientNetworkHost 0x4d2ed:$x2: IClientNetworkHost 0x5908f:$x2: IClientNetworkHost 0x7df93:$x2: IClientNetworkHost 0x8d3f6:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.48fc66c.23.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14db1:$a: NanoCore 0x14dd7:$a: NanoCore 0x14e33:$a: NanoCore 0x21c88:$a: NanoCore 0x21ce1:$a: NanoCore 0x21d14:$a: NanoCore 0x21f40:$a: NanoCore 0x21fbc:$a: NanoCore 0x225d5:$a: NanoCore 0x2271e:$a: NanoCore 0x22bf2:$a: NanoCore 0x22ed9:$a: NanoCore 0x22ef0:$a: NanoCore 0x26279:$a: NanoCore 0x27633:$a: NanoCore 0x2767d:$a: NanoCore 0x282d7:$a: NanoCore 0x2d8bc:$a: NanoCore
0.2.iGZtra5EaP.exe.3cc9930.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x1033cd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x10340a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x106f3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.iGZtra5EaP.exe.3cc9930.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.iGZtra5EaP.exe.3cc9930.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x103135:$a: NanoCore 0x103145:$a: NanoCore 0x103379:$a: NanoCore 0x10338d:$a: NanoCore 0x1033cd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x103194:$b: ClientPlugin 0x103396:$b: ClientPlugin 0x1033d6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x1032bb:$c: ProjectData 0x2d52eb:$c: ProjectData 0x10a82:$d: DESCrypto 0x103cc2:$d: DESCrypto
17.2.iGZtra5EaP.exe.3b59930.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
17.2.iGZtra5EaP.exe.3b59930.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
17.2.iGZtra5EaP.exe.3b59930.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
12.2.iGZtra5EaP.exe.37cd3a8.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d63:$x1: NanoCore.ClientPluginHost 0x1fc07:$x1: NanoCore.ClientPluginHost 0x26d28:$x1: NanoCore.ClientPluginHost 0x2d005:$x1: NanoCore.ClientPluginHost 0x37667:$x1: NanoCore.ClientPluginHost 0x41ae7:$x1: NanoCore.ClientPluginHost 0x4cb1d:$x1: NanoCore.ClientPluginHost 0x58917:$x1: NanoCore.ClientPluginHost 0x64702:$x1: NanoCore.ClientPluginHost 0x76703:$x1: NanoCore.ClientPluginHost 0x7b523:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d9c:$x2: IClientNetworkHost 0x1fc40:$x2: IClientNetworkHost 0x2d03e:$x2: IClientNetworkHost 0x377c4:$x2: IClientNetworkHost 0x41b20:$x2: IClientNetworkHost 0x4cb37:$x2: IClientNetworkHost 0x58931:$x2: IClientNetworkHost 0x6473f:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.37cd3a8.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x15d63:$x2: NanoCore.ClientPluginHost 0x1fc07:$x2: NanoCore.ClientPluginHost 0x26d28:$x2: NanoCore.ClientPluginHost 0x2d005:$x2: NanoCore.ClientPluginHost 0x37667:$x2: NanoCore.ClientPluginHost 0x41ae7:$x2: NanoCore.ClientPluginHost 0x4cb1d:$x2: NanoCore.ClientPluginHost 0x58917:$x2: NanoCore.ClientPluginHost 0x64702:$x2: NanoCore.ClientPluginHost 0x76703:$x2: NanoCore.ClientPluginHost 0x7b523:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0x385bd:$s3: PipeExists 0x76aef:$s3: PipeExists 0x7b90f:$s3: PipeExists 0xe576:$s4: PipeCreated 0x15e80:$s4: PipeCreated 0x1fd0b:$s4: PipeCreated 0x26e06:$s4: PipeCreated 0x2d120:$s4: PipeCreated
12.2.iGZtra5EaP.exe.37cd3a8.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15aab:$a: NanoCore 0x15b04:$a: NanoCore 0x15b37:$a: NanoCore 0x15d63:$a: NanoCore 0x15ddf:$a: NanoCore 0x163f8:$a: NanoCore 0x16541:$a: NanoCore 0x16a15:$a: NanoCore 0x16cfc:$a: NanoCore 0x16d13:$a: NanoCore 0x1fc07:$a: NanoCore 0x1fc83:$a: NanoCore 0x22566:$a: NanoCore 0x26d28:$a: NanoCore 0x26d72:$a: NanoCore 0x279cc:$a: NanoCore 0x2d005:$a: NanoCore 0x2d07f:$a: NanoCore
12.2.iGZtra5EaP.exe.471931d.20.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.471931d.20.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a58:$a: NanoCore 0x15ab1:$a: NanoCore 0x15ae4:$a: NanoCore 0x15d10:$a: NanoCore 0x15d8c:$a: NanoCore 0x163a5:$a: NanoCore 0x164ee:$a: NanoCore 0x169c2:$a: NanoCore 0x16ca9:$a: NanoCore 0x16cc0:$a: NanoCore 0x1fb64:$a: NanoCore 0x1fbe0:$a: NanoCore 0x224c3:$a: NanoCore 0x25875:$a: NanoCore 0x26c31:$a: NanoCore 0x26c7b:$a: NanoCore 0x278d5:$a: NanoCore 0x2cebc:$a: NanoCore
12.2.iGZtra5EaP.exe.48e8469.24.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x18dbe:$x1: NanoCore.ClientPluginHost 0x28fda:$x1: NanoCore.ClientPluginHost 0x36143:$x1: NanoCore.ClientPluginHost 0x3b836:$x1: NanoCore.ClientPluginHost 0x41abf:$x1: NanoCore.ClientPluginHost 0x4c0ce:$x1: NanoCore.ClientPluginHost 0x564f9:$x1: NanoCore.ClientPluginHost 0x614d6:$x1: NanoCore.ClientPluginHost 0x6d278:$x1: NanoCore.ClientPluginHost 0x9217c:$x1: NanoCore.ClientPluginHost 0xa15bc:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x18de8:$x2: IClientNetworkHost 0x29007:$x2: IClientNetworkHost 0x3617c:$x2: IClientNetworkHost 0x41af8:$x2: IClientNetworkHost 0x4c22b:$x2: IClientNetworkHost 0x56532:$x2: IClientNetworkHost 0x614f0:$x2: IClientNetworkHost 0x6d292:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.48e8469.24.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.48e8469.24.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb13a:$a: NanoCore 0xb14f:$a: NanoCore 0xb184:$a: NanoCore 0x18d99:$a: NanoCore 0x18dbe:$a: NanoCore 0x18e17:$a: NanoCore 0x28fb4:$a: NanoCore 0x28fda:$a: NanoCore 0x29036:$a: NanoCore 0x35e8b:$a: NanoCore 0x35ee4:$a: NanoCore 0x35f17:$a: NanoCore 0x36143:$a: NanoCore 0x361bf:$a: NanoCore 0x367d8:$a: NanoCore 0x36921:$a: NanoCore 0x36df5:$a: NanoCore 0x370dc:$a: NanoCore 0x370f3:$a: NanoCore 0x3a47c:$a: NanoCore 0x3b836:$a: NanoCore
12.2.iGZtra5EaP.exe.472d94a.22.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.472d94a.22.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb537:$a: NanoCore 0xb5b3:$a: NanoCore 0xde96:$a: NanoCore 0x11248:$a: NanoCore 0x12604:$a: NanoCore 0x1264e:$a: NanoCore 0x132a8:$a: NanoCore 0x1888f:$a: NanoCore 0x18909:$a: NanoCore 0x22ea0:$a: NanoCore 0x22f8a:$a: NanoCore
12.2.iGZtra5EaP.exe.470d0e9.21.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.470d0e9.21.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14db3:$a: NanoCore 0x14dd9:$a: NanoCore 0x14e35:$a: NanoCore 0x21c8c:$a: NanoCore 0x21ce5:$a: NanoCore 0x21d18:$a: NanoCore 0x21f44:$a: NanoCore 0x21fc0:$a: NanoCore 0x225d9:$a: NanoCore 0x22722:$a: NanoCore 0x22bf6:$a: NanoCore 0x22edd:$a: NanoCore 0x22ef4:$a: NanoCore 0x2bd98:$a: NanoCore 0x2be14:$a: NanoCore 0x2e6f7:$a: NanoCore 0x31aa9:$a: NanoCore 0x32e65:$a: NanoCore
Click to see the 237 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\iGZtra5EaP.exe, ProcessId: 4720, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\iGZtra5EaP.exe, ProcessId: 4720, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\iGZtra5EaP.exe, ProcessId: 4720, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\iGZtra5EaP.exe, ProcessId: 4720, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000001B.00000002.417862891.0000000002A11000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "f0d143be-967c-4293-98d3-3a1e128b", "Group": "BotNet", "Domain1": "microsoftsecurity.sytes.net", "Domain2": "backupnew.duckdns.org", "Port": 1177, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for domain / URL

Show sources

Source: backupnew.duckdns.org	Virustotal: Detection: 8%	Perma Link
Source: microsoftsecurity.sytes.net	Virustotal: Detection: 8%	Perma Link
Source: backupnew.duckdns.org	Virustotal: Detection: 8%	Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exe	ReversingLabs: Detection: 64%

Multi AV Scanner detection for submitted file

Show sources

Source: iGZtra5EaP.exe	Virustotal: Detection: 48%			Perma Link
Source: iGZtra5EaP.exe	ReversingLabs: Detection: 64%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 30.2.dhcpmon.exe.4060614.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.3a64c3d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.iGZtra5EaP.exe.3b59930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.4149930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.44d4c3d.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.69d4629.30.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3ff0614.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.dhcpmon.exe.405b7de.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.448e778.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3feb7de.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.69d0000.31.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.48e3e40.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.4099930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.69d0000.31.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.4492da1.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.4553c80.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.44d0614.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.3a60614.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.4149930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.3a5b7de.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.dhcpmon.exe.4064c3d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.4489942.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.454ee4a.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.4553c80.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.44cb7de.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.3a60614.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.48e3e40.25.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3ff4c3d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.448e778.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.45582a9.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.4099930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.dhcpmon.exe.4060614.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3ff0614.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iGZtra5EaP.exe.3cc9930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iGZtra5EaP.exe.3cfc550.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.44d0614.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iGZtra5EaP.exe.3cc9930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.iGZtra5EaP.exe.3b59930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.471931d.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.48e8469.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.472d94a.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.470d0e9.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.417862891.0000000002A11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.428437498.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.476961664.000000000454E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.412689646.0000000004149000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.422052368.0000000003011000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.417477798.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.431850871.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.481497763.00000000069D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.404628541.0000000004099000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.467302367.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.415827598.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.477941629.00000000048DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.294511650.0000000003CC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.476599395.00000000044C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.400817271.0000000003B59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.418018556.0000000003A19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.423536148.0000000004019000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.476392070.0000000004481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.431679291.0000000002FA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.472713339.0000000003481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: iGZtra5EaP.exe PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iGZtra5EaP.exe PID: 4720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iGZtra5EaP.exe PID: 5016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5200, type: MEMORYSTR

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: iGZtra5EaP.exe

Joe Sandbox ML: detected

Source: 27.2.iGZtra5EaP.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 30.2.dhcpmon.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.2.iGZtra5EaP.exe.69d0000.31.unpack	Avira: Label: TR/NanoCore.fadte
Source: 12.2.iGZtra5EaP.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 33.2.dhcpmon.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: iGZtra5EaP.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: iGZtra5EaP.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 4x nop then pop ebp
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 4x nop then pop ebp
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49737 -> 20.197.234.75:1177
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49743 -> 20.197.234.75:1177
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49744 -> 20.197.234.75:1177
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49745 -> 20.197.234.75:1177

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: backupnew.duckdns.org
Source: Malware configuration extractor	URLs: microsoftsecurity.sytes.net

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: backupnew.duckdns.org

Source: global traffic	TCP traffic: 192.168.2.3:49724 -> 20.206.66.33:1177
Source: global traffic	TCP traffic: 192.168.2.3:49737 -> 20.197.234.75:1177

Source: unknown

DNS traffic detected: queries for: microsoftsecurity.sytes.net

Source: iGZtra5EaP.exe	String found in binary or memory: http://douglasheriot.com/uno/
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	String found in binary or memory: http://google.com
Source: iGZtra5EaP.exe, 00000000.00000002.293558443.0000000002CC1000.00000004.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.398277931.0000000002B51000.00000004.00000001.sdmp, dhcpmon.exe, 00000012.00000002.400511596.0000000003091000.00000004.00000001.sdmp, dhcpmon.exe, 00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 30.2.dhcpmon.exe.4060614.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.3a64c3d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.iGZtra5EaP.exe.3b59930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.4149930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.44d4c3d.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.69d4629.30.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3ff0614.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.dhcpmon.exe.405b7de.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.448e778.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3feb7de.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.69d0000.31.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.48e3e40.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.4099930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.69d0000.31.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.4492da1.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.4553c80.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.44d0614.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.3a60614.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.4149930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.3a5b7de.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.dhcpmon.exe.4064c3d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.4489942.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.454ee4a.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.4553c80.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.44cb7de.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.3a60614.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.48e3e40.25.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3ff4c3d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.448e778.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.45582a9.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.4099930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.dhcpmon.exe.4060614.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3ff0614.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iGZtra5EaP.exe.3cc9930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iGZtra5EaP.exe.3cfc550.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.44d0614.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iGZtra5EaP.exe.3cc9930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.iGZtra5EaP.exe.3b59930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.471931d.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.48e8469.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.472d94a.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.470d0e9.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.417862891.0000000002A11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.428437498.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.476961664.000000000454E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.412689646.0000000004149000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.422052368.0000000003011000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.417477798.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.431850871.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.481497763.00000000069D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.404628541.0000000004099000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.467302367.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.415827598.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.477941629.00000000048DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.294511650.0000000003CC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.476599395.00000000044C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.400817271.0000000003B59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.418018556.0000000003A19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.423536148.0000000004019000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.476392070.0000000004481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.431679291.0000000002FA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.472713339.0000000003481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: iGZtra5EaP.exe PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iGZtra5EaP.exe PID: 4720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iGZtra5EaP.exe PID: 5016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5200, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 12.2.iGZtra5EaP.exe.6de0000.35.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.6e10000.38.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 33.2.dhcpmon.exe.3009684.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.6760000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 30.2.dhcpmon.exe.4060614.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.iGZtra5EaP.exe.3a64c3d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.6e40000.40.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.iGZtra5EaP.exe.3b59930.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.iGZtra5EaP.exe.3b59930.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.dhcpmon.exe.4149930.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.dhcpmon.exe.4149930.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.44d4c3d.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.69d4629.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.6e54c9f.43.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 33.2.dhcpmon.exe.3ff0614.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.6e90000.44.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.6e10000.38.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 30.2.dhcpmon.exe.405b7de.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 30.2.dhcpmon.exe.405b7de.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.37e1a28.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.37e1a28.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.37cd3a8.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.6dd0000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.448e778.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.34b6ba0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.6e20000.39.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 30.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 30.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.1ad0000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 33.2.dhcpmon.exe.3feb7de.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 33.2.dhcpmon.exe.3feb7de.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.48fc66c.23.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.470d0e9.21.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.69d0000.31.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.353c47c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.353c47c.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.48e3e40.25.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.dhcpmon.exe.4099930.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.dhcpmon.exe.4099930.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.6db0000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.69d0000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.4492da1.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.4553c80.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.4553c80.19.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.44d0614.14.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.2.iGZtra5EaP.exe.3a60614.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.dhcpmon.exe.4149930.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.dhcpmon.exe.4149930.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.6e5e8a4.41.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.2.iGZtra5EaP.exe.3a5b7de.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.2.iGZtra5EaP.exe.3a5b7de.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 30.2.dhcpmon.exe.3079684.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.2.iGZtra5EaP.exe.2a7956c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.6df0000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.6e20000.39.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.1ad0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 30.2.dhcpmon.exe.4064c3d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.6e00000.37.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.6e90000.44.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.6e40000.40.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.6e00000.37.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.4489942.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.4489942.13.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.454ee4a.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.454ee4a.18.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.4553c80.19.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.6760000.28.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.353c47c.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.44cb7de.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.44cb7de.16.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.iGZtra5EaP.exe.3a60614.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.48e3e40.25.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.2.dhcpmon.exe.3ff4c3d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.448e778.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.45582a9.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.45582a9.17.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.35486f8.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.dhcpmon.exe.4099930.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.dhcpmon.exe.4099930.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.37c111c.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 30.2.dhcpmon.exe.4060614.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 33.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 33.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.2.dhcpmon.exe.3ff0614.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.471931d.20.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.5ec0000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.35486f8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.35486f8.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.iGZtra5EaP.exe.3cc9930.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.iGZtra5EaP.exe.3cc9930.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.iGZtra5EaP.exe.3cfc550.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.iGZtra5EaP.exe.3cfc550.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.6e50000.42.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.6dd0000.34.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.6e50000.42.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.355cd68.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.355cd68.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.6df0000.36.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.37c111c.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.37c111c.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.44d0614.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.48fc66c.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.48fc66c.23.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.iGZtra5EaP.exe.3cc9930.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.iGZtra5EaP.exe.3cc9930.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.iGZtra5EaP.exe.3b59930.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.iGZtra5EaP.exe.3b59930.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.37cd3a8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.37cd3a8.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.471931d.20.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.48e8469.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.48e8469.24.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.472d94a.22.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.470d0e9.21.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.417862891.0000000002A11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.482078580.0000000006E40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000021.00000002.428437498.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000021.00000002.428437498.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.476961664.000000000454E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.482179100.0000000006E90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.471078718.0000000001AD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.412689646.0000000004149000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.412689646.0000000004149000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.475401082.000000000374C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.481910813.0000000006DB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.481995550.0000000006E00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001E.00000002.422052368.0000000003011000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001E.00000002.417477798.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001E.00000002.417477798.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.431850871.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.481497763.00000000069D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.482020693.0000000006E10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.481961618.0000000006DE0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.481945946.0000000006DD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.404628541.0000000004099000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.404628541.0000000004099000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.467302367.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.467302367.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.482036750.0000000006E20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.473787584.00000000034F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.415827598.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001B.00000002.415827598.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.480093816.0000000005EC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.482102080.0000000006E50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.477941629.00000000048DF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.294511650.0000000003CC9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.294511650.0000000003CC9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.480306697.0000000006760000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.476599395.00000000044C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.400817271.0000000003B59000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000011.00000002.400817271.0000000003B59000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.418018556.0000000003A19000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001E.00000002.423536148.0000000004019000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.476392070.0000000004481000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.481978911.0000000006DF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000021.00000002.431679291.0000000002FA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: iGZtra5EaP.exe PID: 5832, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: iGZtra5EaP.exe PID: 5832, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: iGZtra5EaP.exe PID: 4720, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: iGZtra5EaP.exe PID: 4720, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: iGZtra5EaP.exe PID: 5016, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: iGZtra5EaP.exe PID: 5016, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 3008, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 3008, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 5200, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 5200, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 0_2_02B57E88
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 0_2_02B5D424
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 0_2_02B57E79
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 0_2_052A1AC0
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 0_2_052AA5E4
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_0182E480
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_0182E471
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_0182BBD4
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DC0040
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DC8D08
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DC9B98
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DC9C56
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_01047E79
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_0104D424
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_050D1AC0
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_050D0006
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_050D0040
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_050D1AB1
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_084BA1B8
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_084B6220
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_084B4230
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_084B4B00
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_084B9588
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_084BA1AA
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_084BE4F8
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_084BA488
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_084BA482
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_084B957A
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_084B3EE8
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_084B9F58
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_02E67E88
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_02E6D424
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_02E67E79
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_05651AC0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_05650040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_05650006
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_05651AB1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_0711DF70
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_071147E0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_07117EB0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_0711E6F8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_07114D78
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_0711C5B0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_07115CC8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_07114A50
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_07115908
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_07115140
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_07118990
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_071147D0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_07114D67
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_07116C22
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_07116C28
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_0711D458
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_07115CB8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_07114378
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_07114369
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_07114A42
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_07115130
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_07113851
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_071158F8

Source: iGZtra5EaP.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: eBopYzBwUYOW.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dhcpmon.exe.12.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: iGZtra5EaP.exe	Binary or memory string: OriginalFilename vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 00000000.00000002.294056271.0000000002F9F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameResource_Meter.dll> vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 00000000.00000002.302493562.000000000EA00000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 00000000.00000002.302493562.000000000EA00000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 00000000.00000002.300051492.0000000007670000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 00000000.00000002.294511650.0000000003CC9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameIpTl.exe( vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 00000000.00000002.294511650.0000000003CC9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 00000000.00000002.302136335.000000000E910000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe	Binary or memory string: OriginalFilename vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.480906806.00000000068E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.479435381.00000000059A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.470898373.00000000018E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000000.292068443.0000000000EF2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIpTl.exe( vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe	Binary or memory string: OriginalFilename vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 00000011.00000002.408352281.00000000070B0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 00000011.00000002.398277931.0000000002B51000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 00000011.00000002.399298004.0000000002E2F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameResource_Meter.dll> vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 00000011.00000000.303701249.0000000000632000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIpTl.exe( vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 00000011.00000002.410906313.000000000E310000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 00000011.00000002.396930695.0000000000D5A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 00000011.00000002.408776484.0000000007150000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 00000011.00000002.408776484.0000000007150000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000001B.00000002.417862891.0000000002A11000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000001B.00000002.417862891.0000000002A11000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000001B.00000000.394808398.0000000000522000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIpTl.exe( vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000001B.00000002.418018556.0000000003A19000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe	Binary or memory string: OriginalFilenameIpTl.exe( vs iGZtra5EaP.exe

Source: iGZtra5EaP.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 12.2.iGZtra5EaP.exe.6de0000.35.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6de0000.35.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.6e10000.38.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6e10000.38.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 33.2.dhcpmon.exe.3009684.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 33.2.dhcpmon.exe.3009684.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.6760000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6760000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 30.2.dhcpmon.exe.4060614.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 30.2.dhcpmon.exe.4060614.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 27.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 27.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.2.iGZtra5EaP.exe.3a64c3d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.iGZtra5EaP.exe.3a64c3d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.6e40000.40.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6e40000.40.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.iGZtra5EaP.exe.3b59930.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.iGZtra5EaP.exe.3b59930.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.iGZtra5EaP.exe.3b59930.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.dhcpmon.exe.4149930.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.dhcpmon.exe.4149930.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.44d4c3d.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.44d4c3d.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.69d4629.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.69d4629.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.6e54c9f.43.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6e54c9f.43.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 33.2.dhcpmon.exe.3ff0614.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 33.2.dhcpmon.exe.3ff0614.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.6e90000.44.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6e90000.44.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.6e10000.38.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6e10000.38.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 30.2.dhcpmon.exe.405b7de.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 30.2.dhcpmon.exe.405b7de.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 30.2.dhcpmon.exe.405b7de.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.37e1a28.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.37e1a28.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.37e1a28.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.37cd3a8.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.37cd3a8.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.6dd0000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6dd0000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.448e778.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.448e778.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.34b6ba0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.34b6ba0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.6e20000.39.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6e20000.39.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 30.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 30.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 30.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.1ad0000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.1ad0000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 33.2.dhcpmon.exe.3feb7de.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 33.2.dhcpmon.exe.3feb7de.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 33.2.dhcpmon.exe.3feb7de.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.48fc66c.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.48fc66c.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.470d0e9.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.470d0e9.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.69d0000.31.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.69d0000.31.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.353c47c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.353c47c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.353c47c.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.48e3e40.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.48e3e40.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.dhcpmon.exe.4099930.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.dhcpmon.exe.4099930.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.6db0000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6db0000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.69d0000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.69d0000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.4492da1.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.4492da1.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.4553c80.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.4553c80.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.4553c80.19.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.44d0614.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.44d0614.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 27.2.iGZtra5EaP.exe.3a60614.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.iGZtra5EaP.exe.3a60614.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.dhcpmon.exe.4149930.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.dhcpmon.exe.4149930.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.dhcpmon.exe.4149930.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.6e5e8a4.41.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6e5e8a4.41.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 27.2.iGZtra5EaP.exe.3a5b7de.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.iGZtra5EaP.exe.3a5b7de.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 27.2.iGZtra5EaP.exe.3a5b7de.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 30.2.dhcpmon.exe.3079684.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 30.2.dhcpmon.exe.3079684.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 27.2.iGZtra5EaP.exe.2a7956c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.iGZtra5EaP.exe.2a7956c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.6df0000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6df0000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.6e20000.39.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6e20000.39.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.1ad0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.1ad0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 30.2.dhcpmon.exe.4064c3d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 30.2.dhcpmon.exe.4064c3d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.6e00000.37.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6e00000.37.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.6e90000.44.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6e90000.44.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.6e40000.40.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6e40000.40.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.6e00000.37.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6e00000.37.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.4489942.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.4489942.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.4489942.13.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.454ee4a.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.454ee4a.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.454ee4a.18.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.4553c80.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.4553c80.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.6760000.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6760000.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.353c47c.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.353c47c.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.44cb7de.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.44cb7de.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.44cb7de.16.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.2.iGZtra5EaP.exe.3a60614.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.iGZtra5EaP.exe.3a60614.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.48e3e40.25.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 33.2.dhcpmon.exe.3ff4c3d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 33.2.dhcpmon.exe.3ff4c3d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.448e778.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.448e778.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.45582a9.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.45582a9.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.45582a9.17.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.35486f8.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.35486f8.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.dhcpmon.exe.4099930.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.dhcpmon.exe.4099930.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.dhcpmon.exe.4099930.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.37c111c.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.37c111c.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 30.2.dhcpmon.exe.4060614.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 30.2.dhcpmon.exe.4060614.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 33.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 33.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 33.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 33.2.dhcpmon.exe.3ff0614.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 33.2.dhcpmon.exe.3ff0614.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.471931d.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.471931d.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.5ec0000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.5ec0000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.35486f8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.35486f8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.35486f8.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.iGZtra5EaP.exe.3cc9930.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.iGZtra5EaP.exe.3cc9930.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.iGZtra5EaP.exe.3cc9930.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.iGZtra5EaP.exe.3cfc550.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.iGZtra5EaP.exe.3cfc550.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.6e50000.42.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6e50000.42.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.6dd0000.34.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6dd0000.34.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.6e50000.42.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6e50000.42.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.355cd68.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.355cd68.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.355cd68.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.6df0000.36.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6df0000.36.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.37c111c.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.37c111c.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.37c111c.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.44d0614.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.44d0614.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.48fc66c.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.48fc66c.23.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.iGZtra5EaP.exe.3cc9930.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.iGZtra5EaP.exe.3cc9930.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.2.iGZtra5EaP.exe.3b59930.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.iGZtra5EaP.exe.3b59930.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.37cd3a8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.37cd3a8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.37cd3a8.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.471931d.20.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.48e8469.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.48e8469.24.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.472d94a.22.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.470d0e9.21.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000002.417862891.0000000002A11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.482078580.0000000006E40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.482078580.0000000006E40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000021.00000002.428437498.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000021.00000002.428437498.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.476961664.000000000454E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.482179100.0000000006E90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.482179100.0000000006E90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.471078718.0000000001AD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.471078718.0000000001AD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000014.00000002.412689646.0000000004149000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.412689646.0000000004149000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.475401082.000000000374C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.481910813.0000000006DB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.481910813.0000000006DB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.481995550.0000000006E00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.481995550.0000000006E00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000001E.00000002.422052368.0000000003011000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001E.00000002.417477798.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001E.00000002.417477798.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000021.00000002.431850871.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.481497763.00000000069D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.481497763.00000000069D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.482020693.0000000006E10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.482020693.0000000006E10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.481961618.0000000006DE0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.481961618.0000000006DE0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.481945946.0000000006DD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.481945946.0000000006DD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.404628541.0000000004099000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.404628541.0000000004099000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.467302367.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.467302367.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.482036750.0000000006E20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.482036750.0000000006E20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.473787584.00000000034F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000002.415827598.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001B.00000002.415827598.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.480093816.0000000005EC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.480093816.0000000005EC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.482102080.0000000006E50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.482102080.0000000006E50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.477941629.00000000048DF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.294511650.0000000003CC9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.294511650.0000000003CC9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.480306697.0000000006760000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.480306697.0000000006760000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.476599395.00000000044C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000002.400817271.0000000003B59000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000011.00000002.400817271.0000000003B59000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000002.418018556.0000000003A19000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001E.00000002.423536148.0000000004019000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.476392070.0000000004481000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.481978911.0000000006DF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.481978911.0000000006DF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000021.00000002.431679291.0000000002FA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: iGZtra5EaP.exe PID: 5832, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: iGZtra5EaP.exe PID: 5832, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: iGZtra5EaP.exe PID: 4720, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: iGZtra5EaP.exe PID: 4720, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: iGZtra5EaP.exe PID: 5016, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: iGZtra5EaP.exe PID: 5016, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 3008, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 3008, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 5200, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 5200, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: iGZtra5EaP.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: eBopYzBwUYOW.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.12.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 12.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 12.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 27.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 27.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 27.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 30.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 30.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 30.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 12.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 27.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 27.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 33.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 33.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 30.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 30.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@30/15@7/2

Source: C:\Users\user\Desktop\iGZtra5EaP.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Users\user\Desktop\iGZtra5EaP.exe

File created: C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exe

Jump to behavior

Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{f0d143be-967c-4293-98d3-3a1e128b5398}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5896:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2588:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5096:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:256:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1324:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5072:120:WilError_01

Source: C:\Users\user\Desktop\iGZtra5EaP.exe

File created: C:\Users\user\AppData\Local\Temp\tmp3997.tmp

Jump to behavior

Source: iGZtra5EaP.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\iGZtra5EaP.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\iGZtra5EaP.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: iGZtra5EaP.exe	Virustotal: Detection: 48%
Source: iGZtra5EaP.exe	ReversingLabs: Detection: 64%

Source: C:\Users\user\Desktop\iGZtra5EaP.exe

File read: C:\Users\user\Desktop\iGZtra5EaP.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\iGZtra5EaP.exe 'C:\Users\user\Desktop\iGZtra5EaP.exe'
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp3997.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Users\user\Desktop\iGZtra5EaP.exe {path}
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp489A.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp4CC2.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\iGZtra5EaP.exe C:\Users\user\Desktop\iGZtra5EaP.exe 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpF219.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Users\user\Desktop\iGZtra5EaP.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpF5E2.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp63D.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp3997.tmp'
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Users\user\Desktop\iGZtra5EaP.exe {path}
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp489A.tmp'
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp4CC2.tmp'
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpF219.tmp'
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Users\user\Desktop\iGZtra5EaP.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpF5E2.tmp'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp63D.tmp'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}

Source: C:\Users\user\Desktop\iGZtra5EaP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\iGZtra5EaP.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: iGZtra5EaP.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: iGZtra5EaP.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 12.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 27.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 27.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 30.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 30.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 33.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 33.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 0_2_009585A5 push edx; iretd
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 0_2_00954664 push dword ptr [edx+ebx*2+20h]; ret
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_00EF85A5 push edx; iretd
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_00EF4664 push dword ptr [edx+ebx*2+20h]; ret
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DCD61F push es; retf
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DCD61B push es; retf
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DCD603 push es; retf
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DCD633 push es; retf
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DCD62F push es; retf
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DCD62B push es; retf
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DCD627 push es; retf
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DCD623 push es; retf
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DCD4FF push es; retf
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DCD4FB push es; retf
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DCD467 push es; retf
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DCD463 push es; retf
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DCD597 push es; retf
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DCD5B7 push es; retf
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DCD3C7 push es; ret
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DCD3C3 push es; ret
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DCCD42 push 8B000005h; retf
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_00634664 push dword ptr [edx+ebx*2+20h]; ret
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_006385A5 push edx; iretd
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_050D806D pushad ; retf
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_050D8A30 push C58FBA62h; ret
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_00C685A5 push edx; iretd
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_00C64664 push dword ptr [edx+ebx*2+20h]; ret
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_0565806D pushad ; retf
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_05658A30 push C58FBA62h; ret
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_07117E80 push esp; ret
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_0711981D pushad ; iretd

Source: initial sample	Static PE information: section name: .text entropy: 7.50200224495
Source: initial sample	Static PE information: section name: .text entropy: 7.50200224495
Source: initial sample	Static PE information: section name: .text entropy: 7.50200224495

Source: 12.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 12.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 27.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 27.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 30.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 30.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 33.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 33.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\iGZtra5EaP.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	File created: C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\iGZtra5EaP.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp3997.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\iGZtra5EaP.exe

File opened: C:\Users\user\Desktop\iGZtra5EaP.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.398277931.0000000002B51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.293558443.0000000002CC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.400511596.0000000003091000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: iGZtra5EaP.exe PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iGZtra5EaP.exe PID: 1288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5756, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\iGZtra5EaP.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: iGZtra5EaP.exe, 00000000.00000002.293558443.0000000002CC1000.00000004.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.398277931.0000000002B51000.00000004.00000001.sdmp, dhcpmon.exe, 00000012.00000002.400511596.0000000003091000.00000004.00000001.sdmp, dhcpmon.exe, 00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: iGZtra5EaP.exe, 00000000.00000002.293558443.0000000002CC1000.00000004.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.398277931.0000000002B51000.00000004.00000001.sdmp, dhcpmon.exe, 00000012.00000002.400511596.0000000003091000.00000004.00000001.sdmp, dhcpmon.exe, 00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Window / User API: threadDelayed 2413
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Window / User API: threadDelayed 6764
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Window / User API: foregroundWindowGot 567

Source: C:\Users\user\Desktop\iGZtra5EaP.exe TID: 1636	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\iGZtra5EaP.exe TID: 1200	Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Users\user\Desktop\iGZtra5EaP.exe TID: 3868	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1180	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5896	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\iGZtra5EaP.exe TID: 6004	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1928	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5480	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: dhcpmon.exe, 00000014.00000002.427212461.000000000E4C0000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: dhcpmon.exe, 00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: iGZtra5EaP.exe, 0000000C.00000002.470898373.00000000018E0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: dhcpmon.exe, 00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: iGZtra5EaP.exe, 00000000.00000002.301129173.0000000008C30000.00000004.00000001.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMware3TV9F2PNWin32_VideoControllerXYX6N6Y_VideoController120060621000000.000000-00087424060disp
Source: dhcpmon.exe, 00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp	Binary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: dhcpmon.exe, 00000014.00000002.427212461.000000000E4C0000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SAE
Source: dhcpmon.exe, 00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: dhcpmon.exe, 00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 00000014.00000002.427212461.000000000E4C0000.00000004.00000001.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMware3TV9F2PNWin32_VideoControllerXYX6N6Y_VideoController120060621000000.000000-00087424060display.infMSBDAU1H7SVAXPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsK9WOH_X5
Source: iGZtra5EaP.exe, 0000000C.00000002.470898373.00000000018E0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: iGZtra5EaP.exe, 00000000.00000002.301129173.0000000008C30000.00000004.00000001.sdmp	Binary or memory string: ontroller(Standard display types)VMware3TV9F2PNWin32_VideoControllerXYX6N6Y_VideoController120060621000000.000000-00087424060display.infMSBDAU1H7SVAXPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsK9WOH_X5Hy
Source: iGZtra5EaP.exe, 0000000C.00000002.470898373.00000000018E0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: dhcpmon.exe, 00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: dhcpmon.exe, 00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: dhcpmon.exe, 00000012.00000002.413353329.00000000088D0000.00000004.00000001.sdmp	Binary or memory string: y types)VMware3TV9F2PNWin32_VideoControllerXYX6N6Y_Vid=
Source: dhcpmon.exe, 00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: dhcpmon.exe, 00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp	Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
Source: iGZtra5EaP.exe, 0000000C.00000002.470898373.00000000018E0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\iGZtra5EaP.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\iGZtra5EaP.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\iGZtra5EaP.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Memory written: C:\Users\user\Desktop\iGZtra5EaP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Memory written: C:\Users\user\Desktop\iGZtra5EaP.exe base: 400000 value starts with: 4D5A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp3997.tmp'
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Users\user\Desktop\iGZtra5EaP.exe {path}
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp489A.tmp'
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp4CC2.tmp'
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpF219.tmp'
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Users\user\Desktop\iGZtra5EaP.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpF5E2.tmp'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp63D.tmp'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}

Source: iGZtra5EaP.exe, 0000000C.00000002.474203989.00000000035BC000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: iGZtra5EaP.exe, 0000000C.00000002.471140321.0000000001E70000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: iGZtra5EaP.exe, 0000000C.00000002.471140321.0000000001E70000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: iGZtra5EaP.exe, 0000000C.00000002.475401082.000000000374C000.00000004.00000001.sdmp	Binary or memory string: Program ManagerP%"D
Source: iGZtra5EaP.exe, 0000000C.00000002.474203989.00000000035BC000.00000004.00000001.sdmp	Binary or memory string: Program Managerx
Source: iGZtra5EaP.exe, 0000000C.00000002.471140321.0000000001E70000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Users\user\Desktop\iGZtra5EaP.exe VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Users\user\Desktop\iGZtra5EaP.exe VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Users\user\Desktop\iGZtra5EaP.exe VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Users\user\Desktop\iGZtra5EaP.exe VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\iGZtra5EaP.exe

Code function: 17_2_084B90D8 GetUserNameA,

Source: C:\Users\user\Desktop\iGZtra5EaP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 30.2.dhcpmon.exe.4060614.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.3a64c3d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.iGZtra5EaP.exe.3b59930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.4149930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.44d4c3d.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.69d4629.30.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3ff0614.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.dhcpmon.exe.405b7de.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.448e778.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3feb7de.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.69d0000.31.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.48e3e40.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.4099930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.69d0000.31.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.4492da1.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.4553c80.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.44d0614.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.3a60614.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.4149930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.3a5b7de.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.dhcpmon.exe.4064c3d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.4489942.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.454ee4a.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.4553c80.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.44cb7de.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.3a60614.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.48e3e40.25.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3ff4c3d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.448e778.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.45582a9.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.4099930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.dhcpmon.exe.4060614.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3ff0614.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iGZtra5EaP.exe.3cc9930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iGZtra5EaP.exe.3cfc550.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.44d0614.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iGZtra5EaP.exe.3cc9930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.iGZtra5EaP.exe.3b59930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.471931d.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.48e8469.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.472d94a.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.470d0e9.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.417862891.0000000002A11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.428437498.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.476961664.000000000454E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.412689646.0000000004149000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.422052368.0000000003011000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.417477798.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.431850871.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.481497763.00000000069D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.404628541.0000000004099000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.467302367.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.415827598.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.477941629.00000000048DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.294511650.0000000003CC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.476599395.00000000044C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.400817271.0000000003B59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.418018556.0000000003A19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.423536148.0000000004019000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.476392070.0000000004481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.431679291.0000000002FA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.472713339.0000000003481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: iGZtra5EaP.exe PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iGZtra5EaP.exe PID: 4720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iGZtra5EaP.exe PID: 5016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5200, type: MEMORYSTR

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: iGZtra5EaP.exe, 00000000.00000002.294511650.0000000003CC9000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: iGZtra5EaP.exe, 0000001B.00000002.417862891.0000000002A11000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: iGZtra5EaP.exe, 0000001B.00000002.417862891.0000000002A11000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 0000001E.00000002.422052368.0000000003011000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000001E.00000002.422052368.0000000003011000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000021.00000002.428437498.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000021.00000002.431850871.0000000003FA9000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 30.2.dhcpmon.exe.4060614.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.3a64c3d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.iGZtra5EaP.exe.3b59930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.4149930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.44d4c3d.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.69d4629.30.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3ff0614.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.dhcpmon.exe.405b7de.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.448e778.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3feb7de.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.69d0000.31.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.48e3e40.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.4099930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.69d0000.31.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.4492da1.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.4553c80.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.44d0614.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.3a60614.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.4149930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.3a5b7de.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.dhcpmon.exe.4064c3d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.4489942.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.454ee4a.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.4553c80.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.44cb7de.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.3a60614.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.48e3e40.25.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3ff4c3d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.448e778.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.45582a9.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.4099930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.dhcpmon.exe.4060614.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3ff0614.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iGZtra5EaP.exe.3cc9930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iGZtra5EaP.exe.3cfc550.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.44d0614.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iGZtra5EaP.exe.3cc9930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.iGZtra5EaP.exe.3b59930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.471931d.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.48e8469.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.472d94a.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.470d0e9.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.417862891.0000000002A11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.428437498.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.476961664.000000000454E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.412689646.0000000004149000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.422052368.0000000003011000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.417477798.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.431850871.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.481497763.00000000069D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.404628541.0000000004099000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.467302367.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.415827598.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.477941629.00000000048DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.294511650.0000000003CC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.476599395.00000000044C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.400817271.0000000003B59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.418018556.0000000003A19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.423536148.0000000004019000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.476392070.0000000004481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.431679291.0000000002FA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.472713339.0000000003481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: iGZtra5EaP.exe PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iGZtra5EaP.exe PID: 4720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iGZtra5EaP.exe PID: 5016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5200, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Scheduled Task/Job1	Process Injection112	Masquerading2	Input Capture11	Security Software Discovery311	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion131	Security Account Manager	Virtualization/Sandbox Evasion131	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol21	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information3	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing13	Proc Filesystem	System Information Discovery12	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
iGZtra5EaP.exe	49%	Virustotal		Browse
iGZtra5EaP.exe	64%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
iGZtra5EaP.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	64%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exe	64%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Download
27.2.iGZtra5EaP.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
30.2.dhcpmon.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
12.2.iGZtra5EaP.exe.69d0000.31.unpack	100%	Avira	TR/NanoCore.fadte	Download File
12.2.iGZtra5EaP.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
33.2.dhcpmon.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

Source	Detection	Scanner	Label	Link
backupnew.duckdns.org	9%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
microsoftsecurity.sytes.net	9%	Virustotal		Browse
microsoftsecurity.sytes.net	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
backupnew.duckdns.org	9%	Virustotal		Browse
backupnew.duckdns.org	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://douglasheriot.com/uno/	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
backupnew.duckdns.org	20.197.234.75	true	true	9%, Virustotal, Browse	unknown
microsoftsecurity.sytes.net	20.206.66.33	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
microsoftsecurity.sytes.net	true	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
backupnew.duckdns.org	true	9%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false		high
http://www.tiro.com	dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://google.com	iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false		high
http://douglasheriot.com/uno/	iGZtra5EaP.exe	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false		high
http://www.fonts.com	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	iGZtra5EaP.exe, 00000000.00000002.293558443.0000000002CC1000.00000004.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.398277931.0000000002B51000.00000004.00000001.sdmp, dhcpmon.exe, 00000012.00000002.400511596.0000000003091000.00000004.00000001.sdmp, dhcpmon.exe, 00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
20.206.66.33	microsoftsecurity.sytes.net	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
20.197.234.75	backupnew.duckdns.org	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458908
Start date:	03.08.2021
Start time:	21:11:20
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 2s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	iGZtra5EaP.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	43
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@30/15@7/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.8% (good quality ratio 0.5%) Quality average: 40.1% Quality standard deviation: 36.9%
HCA Information:	Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 13.64.90.137, 104.42.151.234, 168.61.161.212, 20.82.210.154, 23.35.236.56, 173.222.108.226, 173.222.108.210, 80.67.82.235, 80.67.82.211, 20.50.102.62, 23.211.6.115, 40.112.88.60 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:12:54	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
21:12:55	API Interceptor	653x Sleep call for process: iGZtra5EaP.exe modified
21:12:56	Task Scheduler	Run new task: DHCP Monitor path: "C:\Users\user\Desktop\iGZtra5EaP.exe" s>$(Arg0)
21:12:56	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
backupnew.duckdns.org	y7PKSDpFe0.exe	Get hash	malicious	Browse	191.177.183.137

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Users\user\Desktop\iGZtra5EaP.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	788480
Entropy (8bit):	7.405761902599822
Encrypted:	false
SSDEEP:	24576:K+J70cLvBwP+8oUSmntIV+60wST8OQpi:KK70qvFISLZ5I3
MD5:	5ABFC84B2A671617A4930A61E218B6C6
SHA1:	FB2E5175272B90AA204853DD2BA2DC175FF5958F
SHA-256:	776E6E841B2A1B1DACD2BEB12F76949DC9A395A45BD7107475D90B60F09E5F39
SHA-512:	64A5E3C121442007176DE090B4F24FBB7FFE0018BB774431D70B4941EFE9264E23349CF0A83750BEAE6172E05D30C9CBAAFD542F74FA22EDFEE190DD7515DF36
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 64%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....].`.................x..........^.... ........@.. .......................`............@.....................................O............................@....................................................... ............... ..H............text...dw... ...x.................. ..`.rsrc................z..............@..@.reloc.......@......................@..B................@.......H......................0...._...........................................0..............0..............s....(......0...........(......0............}......}.....(.........}........(...s'...}.......}......}.....u....,9..o.......(....r...p(....-...o.......(....r...p(....+..+....,...t....s0........}.....0..I...............(.... N... !l..a%..^E................+.... ...Z ..a+....}........0..E........ q[0. ..L.a%..^E............#...+!....$...s#...}..... .(.+Z ]r..a+.....0..

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\iGZtra5EaP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\iGZtra5EaP.exe.log Download File
Process:	C:\Users\user\Desktop\iGZtra5EaP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	true
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\tmp3997.tmp Download File
Process:	C:\Users\user\Desktop\iGZtra5EaP.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1645
Entropy (8bit):	5.197051255242617
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBpFtn:cbh47TlNQ//rydbz9I3YODOLNdq3nv
MD5:	F100F4090A302E04A4E5584333049320
SHA1:	69E6D2690B5E7D9BAFD8D69FF8D9ABEA0C34AC01
SHA-256:	A9DFF35D768ED46D311434A85F8BFF2F1B7D02160E6FCE7EFB8A579C90E02BB0
SHA-512:	CF0A3368A7A96FFD4A6DE947120BB61CA61C751DB91458BA4DC77EF2836B1D44E4AD3E464EB21FFD82AE9B1A17196545C09D196DE8D30A1716F3830499077430
Malicious:	true
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\tmp489A.tmp Download File
Process:	C:\Users\user\Desktop\iGZtra5EaP.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	5.108613782269879
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0zgLrxtn:cbk4oL600QydbQxIYODOLedq3Lvj
MD5:	73882135D094B9C109522AE7A7FB03A0
SHA1:	8455954767A1F42B6393ADCB5CA25E96CA467D7B
SHA-256:	9AD453C7A4F46761E71DC36D48B953E8A8818299E599528545284311EE94C7FF
SHA-512:	9785A28A920F0964EE37087EF8D6C17CC432F982EF88A684CFEA3261BE9CC01B6D89C67E2F631E50615416786E8D6A36AA8264C9086A0883C90E698B5BCA387B
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp4CC2.tmp Download File
Process:	C:\Users\user\Desktop\iGZtra5EaP.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp63D.tmp Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1645
Entropy (8bit):	5.197051255242617
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBpFtn:cbh47TlNQ//rydbz9I3YODOLNdq3nv
MD5:	F100F4090A302E04A4E5584333049320
SHA1:	69E6D2690B5E7D9BAFD8D69FF8D9ABEA0C34AC01
SHA-256:	A9DFF35D768ED46D311434A85F8BFF2F1B7D02160E6FCE7EFB8A579C90E02BB0
SHA-512:	CF0A3368A7A96FFD4A6DE947120BB61CA61C751DB91458BA4DC77EF2836B1D44E4AD3E464EB21FFD82AE9B1A17196545C09D196DE8D30A1716F3830499077430
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\tmpF219.tmp Download File
Process:	C:\Users\user\Desktop\iGZtra5EaP.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1645
Entropy (8bit):	5.197051255242617
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBpFtn:cbh47TlNQ//rydbz9I3YODOLNdq3nv
MD5:	F100F4090A302E04A4E5584333049320
SHA1:	69E6D2690B5E7D9BAFD8D69FF8D9ABEA0C34AC01
SHA-256:	A9DFF35D768ED46D311434A85F8BFF2F1B7D02160E6FCE7EFB8A579C90E02BB0
SHA-512:	CF0A3368A7A96FFD4A6DE947120BB61CA61C751DB91458BA4DC77EF2836B1D44E4AD3E464EB21FFD82AE9B1A17196545C09D196DE8D30A1716F3830499077430
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\tmpF5E2.tmp Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1645
Entropy (8bit):	5.197051255242617
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBpFtn:cbh47TlNQ//rydbz9I3YODOLNdq3nv
MD5:	F100F4090A302E04A4E5584333049320
SHA1:	69E6D2690B5E7D9BAFD8D69FF8D9ABEA0C34AC01
SHA-256:	A9DFF35D768ED46D311434A85F8BFF2F1B7D02160E6FCE7EFB8A579C90E02BB0
SHA-512:	CF0A3368A7A96FFD4A6DE947120BB61CA61C751DB91458BA4DC77EF2836B1D44E4AD3E464EB21FFD82AE9B1A17196545C09D196DE8D30A1716F3830499077430
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Users\user\Desktop\iGZtra5EaP.exe
File Type:	data
Category:	dropped
Size (bytes):	696
Entropy (8bit):	7.089541637477408
Encrypted:	false
SSDEEP:	12:X4LEnybgCF0uCYKZr+dLEnybgCF0uCYKZr+dLEnybgCF0uCYKZr+K:IQnybgC4jh+dQnybgC4jh+dQnybgC4jp
MD5:	AF6AA7C823112E2342E8D98BE5EDE0A9
SHA1:	D48CA92F4FA11CC9619185563F2D57A6099D21D0
SHA-256:	8D2ACD0CB78A2C690E2DCA1E9C92D273DAF4804DF0B4AC55E14D120C96F7671D
SHA-512:	B822403E85339F4FF2D88608D73DA75A149756FF44454386E1EB2451A6CCCE0F65ECA596F95BBBAD942C963F8C4CA2ADE582D6E50750596DB263BA879FB3ECE1
Malicious:	false
Reputation:	unknown
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\iGZtra5EaP.exe
File Type:	ATSC A/52 aka AC-3 aka Dolby Digital stream, reserved frequency,, emergency (E) 2 front/2 rear,
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:d:d
MD5:	20522AD33E431199BB129A1CA16DC20F
SHA1:	13C39E11506CDFEC1DB5466B527EB0FD330EA995
SHA-256:	C21A5D95DEA000373611071378FFB0EA886D4ED3F351DF8B7F1622B81E159164
SHA-512:	E49AD7E3542762FA4505433CC34A38175C6AD670D25D374104B3D7819F2162ABBA011B9AFD1181717A5FA80143EBEC7412653870F1C63713F2D88D7102BE8468
Malicious:	true
Reputation:	unknown
Preview:	.wB!.V.H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat Download File
Process:	C:\Users\user\Desktop\iGZtra5EaP.exe
File Type:	data
Category:	modified
Size (bytes):	327768
Entropy (8bit):	7.999367066417797
Encrypted:	true
SSDEEP:	6144:oX44S90aTiB66x3PlZmqze1d1wI8lkWmtjJ/3Exi:LkjbU7LjGxi
MD5:	2E52F446105FBF828E63CF808B721F9C
SHA1:	5330E54F238F46DC04C1AC62B051DB4FCD7416FB
SHA-256:	2F7479AA2661BD259747BC89106031C11B3A3F79F12190E7F19F5DF65B7C15C8
SHA-512:	C08BA0E3315E2314ECBEF38722DF834C2CB8412446A9A310F41A8F83B4AC5984FCC1B26A1D8B0D58A730FDBDD885714854BDFD04DCDF7F582FC125F552D5C3CA
Malicious:	false
Reputation:	unknown
Preview:	pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...\|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.).....{B.[...y%...i.Q.<..xt.X..H.. ..HF7g...I.3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.\|i4...i...;O...n.?.,. ....v?.5}.OY@.dG\|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...\|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`\|.B....3.....I..o...u1..8i=.z.W..7

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Users\user\Desktop\iGZtra5EaP.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	37
Entropy (8bit):	4.337435460048129
Encrypted:	false
SSDEEP:	3:oNWXp5vMiZXEQgE1J:oNWXpFMgX5Br
MD5:	6C946DFBF2EF9628FED080E3558D6822
SHA1:	B3DF6F9B8483D7F991B1D45AD814E5411CBE9001
SHA-256:	A82D2B0C7E89C7C267181AC684F6319F8EF28CAFD5A4BB4B8792DECB80AD7403
SHA-512:	BF0E078002808DD32BFD4D8757857C64026C091647A79838B49D37F085377569E74D553872D0DB10FF6481958057FFF973EB257AC58F0EC43907004D627CC524
Malicious:	false
Reputation:	unknown
Preview:	C:\Users\user\Desktop\iGZtra5EaP.exe

C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exe Download File
Process:	C:\Users\user\Desktop\iGZtra5EaP.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	788480
Entropy (8bit):	7.405761902599822
Encrypted:	false
SSDEEP:	24576:K+J70cLvBwP+8oUSmntIV+60wST8OQpi:KK70qvFISLZ5I3
MD5:	5ABFC84B2A671617A4930A61E218B6C6
SHA1:	FB2E5175272B90AA204853DD2BA2DC175FF5958F
SHA-256:	776E6E841B2A1B1DACD2BEB12F76949DC9A395A45BD7107475D90B60F09E5F39
SHA-512:	64A5E3C121442007176DE090B4F24FBB7FFE0018BB774431D70B4941EFE9264E23349CF0A83750BEAE6172E05D30C9CBAAFD542F74FA22EDFEE190DD7515DF36
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 64%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....].`.................x..........^.... ........@.. .......................`............@.....................................O............................@....................................................... ............... ..H............text...dw... ...x.................. ..`.rsrc................z..............@..@.reloc.......@......................@..B................@.......H......................0...._...........................................0..............0..............s....(......0...........(......0............}......}.....(.........}........(...s'...}.......}......}.....u....,9..o.......(....r...p(....-...o.......(....r...p(....+..+....,...t....s0........}.....0..I...............(.... N... !l..a%..^E................+.... ...Z ..a+....}........0..E........ q[0. ..L.a%..^E............#...+!....$...s#...}..... .(.+Z ]r..a+.....0..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.405761902599822
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	iGZtra5EaP.exe
File size:	788480
MD5:	5abfc84b2a671617a4930a61e218b6c6
SHA1:	fb2e5175272b90aa204853dd2ba2dc175ff5958f
SHA256:	776e6e841b2a1b1dacd2beb12f76949dc9a395a45bd7107475d90b60f09e5f39
SHA512:	64a5e3c121442007176de090b4f24fbb7ffe0018bb774431d70b4941efe9264e23349cf0a83750beae6172e05d30c9cbaafd542f74fa22edfee190dd7515df36
SSDEEP:	24576:K+J70cLvBwP+8oUSmntIV+60wST8OQpi:KK70qvFISLZ5I3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....].`.................x..........^.... ........@.. .......................`............@................................

File Icon


Icon Hash:	f8beee8f9792cc60

Static PE Info

General
Entrypoint:	0x4a975e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60FF5D0A [Tue Jul 27 01:10:34 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa970c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xaa000	0x18a1c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa7764	0xa7800	False	0.768110132929	data	7.50200224495	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xaa000	0x18a1c	0x18c00	False	0.646977588384	data	6.18338598117	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc4000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xaa1a8	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0xaa610	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 14476016, next used block 16777215
RT_ICON	0xab6b8	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_ICON	0xadc60	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
RT_ICON	0xb1e88	0x10828	dBase III DBT, version number 0, next free block index 40
RT_GROUP_ICON	0xc26b0	0x4c	data
RT_VERSION	0xc26fc	0x320	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2010 - 2021
Assembly Version	1.0.0.0
InternalName	IpTl.exe
FileVersion	1.0.0.0
CompanyName	Douglas Heriot
LegalTrademarks
Comments
ProductName	Uno
ProductVersion	1.0.0.0
FileDescription	Uno
OriginalFilename	IpTl.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
08/03/21-21:13:53.952166	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49737	1177	192.168.2.3	20.197.234.75
08/03/21-21:14:01.197544	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49743	1177	192.168.2.3	20.197.234.75
08/03/21-21:14:08.027723	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49744	1177	192.168.2.3	20.197.234.75
08/03/21-21:14:15.852637	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49745	1177	192.168.2.3	20.197.234.75

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 21:12:57.579962015 CEST	49724	1177	192.168.2.3	20.206.66.33
Aug 3, 2021 21:13:00.571827888 CEST	49724	1177	192.168.2.3	20.206.66.33
Aug 3, 2021 21:13:06.587903976 CEST	49724	1177	192.168.2.3	20.206.66.33
Aug 3, 2021 21:13:16.871193886 CEST	49733	1177	192.168.2.3	20.206.66.33
Aug 3, 2021 21:13:19.885943890 CEST	49733	1177	192.168.2.3	20.206.66.33
Aug 3, 2021 21:13:25.886432886 CEST	49733	1177	192.168.2.3	20.206.66.33
Aug 3, 2021 21:13:35.279393911 CEST	49734	1177	192.168.2.3	20.206.66.33
Aug 3, 2021 21:13:38.278109074 CEST	49734	1177	192.168.2.3	20.206.66.33
Aug 3, 2021 21:13:44.278810978 CEST	49734	1177	192.168.2.3	20.206.66.33
Aug 3, 2021 21:13:53.692378998 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:53.897825003 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:53.897969961 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:53.952166080 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:54.176150084 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:54.192786932 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:54.398108959 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:54.399007082 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:54.645457029 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:54.647166967 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:54.895523071 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:54.908375025 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:54.908399105 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:54.908425093 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:54.908472061 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:54.908510923 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:54.908514977 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:54.908531904 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:54.908560038 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:54.908570051 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:54.908590078 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:54.908622980 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:54.908626080 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:54.908644915 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:54.908664942 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:54.911101103 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.115344048 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.115370989 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.115396976 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.115415096 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.115437984 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.115452051 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.115462065 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.115470886 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.115494013 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.115519047 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.115537882 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.115552902 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.115564108 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.115570068 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.115595102 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.115596056 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.115617037 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.115617990 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.115633965 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.115648985 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.115668058 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.115905046 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.116800070 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.116831064 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.116842985 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.116854906 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.116878986 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.117013931 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.320789099 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.320813894 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.320841074 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.320861101 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.320880890 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.320899963 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.320930004 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.320945978 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.320950985 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.320966959 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.320971012 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.320997953 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321034908 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.321091890 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321137905 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321180105 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.321201086 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321219921 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321244001 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.321263075 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321283102 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321306944 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321320057 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.321325064 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321346045 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321368933 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321386099 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321386099 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.321404934 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321428061 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321450949 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.321451902 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321466923 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.321469069 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321472883 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.321489096 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321510077 CEST	1177	49737	20.197.234.75	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 21:12:01.109611988 CEST	64938	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:01.134887934 CEST	53	64938	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:02.063708067 CEST	60152	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:02.091734886 CEST	53	60152	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:03.066673994 CEST	57544	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:03.103312969 CEST	53	57544	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:04.533109903 CEST	55984	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:04.557722092 CEST	53	55984	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:06.049359083 CEST	64185	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:06.082962036 CEST	53	64185	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:07.082231998 CEST	65110	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:07.106795073 CEST	53	65110	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:08.409079075 CEST	58361	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:08.433707952 CEST	53	58361	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:09.438163042 CEST	63492	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:09.472070932 CEST	53	63492	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:10.619234085 CEST	60831	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:10.644360065 CEST	53	60831	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:11.951595068 CEST	60100	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:11.984942913 CEST	53	60100	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:13.041790962 CEST	53195	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:13.066571951 CEST	53	53195	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:14.066262007 CEST	50141	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:14.093660116 CEST	53	50141	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:15.132930994 CEST	53023	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:15.160356045 CEST	53	53023	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:16.128326893 CEST	49563	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:16.155726910 CEST	53	49563	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:16.948605061 CEST	51352	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:16.975970984 CEST	53	51352	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:17.785754919 CEST	59349	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:17.811728001 CEST	53	59349	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:18.827930927 CEST	57084	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:18.860707998 CEST	53	57084	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:28.849370003 CEST	58823	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:28.893198013 CEST	53	58823	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:38.021297932 CEST	57568	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:38.058449030 CEST	53	57568	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:55.061098099 CEST	50540	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:55.111238003 CEST	53	50540	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:57.517040014 CEST	54366	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:57.551525116 CEST	53	54366	8.8.8.8	192.168.2.3
Aug 3, 2021 21:13:05.174351931 CEST	53034	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:13:05.206892967 CEST	53	53034	8.8.8.8	192.168.2.3
Aug 3, 2021 21:13:08.243547916 CEST	57762	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:13:08.280884027 CEST	53	57762	8.8.8.8	192.168.2.3
Aug 3, 2021 21:13:16.810172081 CEST	55435	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:13:16.852745056 CEST	53	55435	8.8.8.8	192.168.2.3
Aug 3, 2021 21:13:35.243072987 CEST	50713	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:13:35.278100014 CEST	53	50713	8.8.8.8	192.168.2.3
Aug 3, 2021 21:13:41.339929104 CEST	56132	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:13:41.373847961 CEST	53	56132	8.8.8.8	192.168.2.3
Aug 3, 2021 21:13:53.562072992 CEST	58987	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:13:53.690700054 CEST	53	58987	8.8.8.8	192.168.2.3
Aug 3, 2021 21:13:55.349746943 CEST	56579	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:13:55.382289886 CEST	53	56579	8.8.8.8	192.168.2.3
Aug 3, 2021 21:13:55.394263983 CEST	60633	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:13:55.441853046 CEST	53	60633	8.8.8.8	192.168.2.3
Aug 3, 2021 21:14:00.827917099 CEST	61292	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:14:00.968957901 CEST	53	61292	8.8.8.8	192.168.2.3
Aug 3, 2021 21:14:07.783363104 CEST	63619	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:14:07.818789959 CEST	53	63619	8.8.8.8	192.168.2.3
Aug 3, 2021 21:14:15.611778975 CEST	64938	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:14:15.644599915 CEST	53	64938	8.8.8.8	192.168.2.3
Aug 3, 2021 21:14:22.665736914 CEST	61946	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:14:22.698612928 CEST	53	61946	8.8.8.8	192.168.2.3
Aug 3, 2021 21:14:22.919195890 CEST	64910	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:14:22.952229977 CEST	53	64910	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 3, 2021 21:12:57.517040014 CEST	192.168.2.3	8.8.8.8	0x2fa0	Standard query (0)	microsoftsecurity.sytes.net	A (IP address)	IN (0x0001)
Aug 3, 2021 21:13:16.810172081 CEST	192.168.2.3	8.8.8.8	0xced5	Standard query (0)	microsoftsecurity.sytes.net	A (IP address)	IN (0x0001)
Aug 3, 2021 21:13:35.243072987 CEST	192.168.2.3	8.8.8.8	0x56c6	Standard query (0)	microsoftsecurity.sytes.net	A (IP address)	IN (0x0001)
Aug 3, 2021 21:13:53.562072992 CEST	192.168.2.3	8.8.8.8	0x3bf6	Standard query (0)	backupnew.duckdns.org	A (IP address)	IN (0x0001)
Aug 3, 2021 21:14:00.827917099 CEST	192.168.2.3	8.8.8.8	0x5378	Standard query (0)	backupnew.duckdns.org	A (IP address)	IN (0x0001)
Aug 3, 2021 21:14:07.783363104 CEST	192.168.2.3	8.8.8.8	0xa0b0	Standard query (0)	backupnew.duckdns.org	A (IP address)	IN (0x0001)
Aug 3, 2021 21:14:15.611778975 CEST	192.168.2.3	8.8.8.8	0xdf8f	Standard query (0)	backupnew.duckdns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Aug 3, 2021 21:12:57.551525116 CEST	8.8.8.8	192.168.2.3	0x2fa0	No error (0)	microsoftsecurity.sytes.net	20.206.66.33	A (IP address)	IN (0x0001)
Aug 3, 2021 21:13:16.852745056 CEST	8.8.8.8	192.168.2.3	0xced5	No error (0)	microsoftsecurity.sytes.net	20.206.66.33	A (IP address)	IN (0x0001)
Aug 3, 2021 21:13:35.278100014 CEST	8.8.8.8	192.168.2.3	0x56c6	No error (0)	microsoftsecurity.sytes.net	20.206.66.33	A (IP address)	IN (0x0001)
Aug 3, 2021 21:13:53.690700054 CEST	8.8.8.8	192.168.2.3	0x3bf6	No error (0)	backupnew.duckdns.org	20.197.234.75	A (IP address)	IN (0x0001)
Aug 3, 2021 21:14:00.968957901 CEST	8.8.8.8	192.168.2.3	0x5378	No error (0)	backupnew.duckdns.org	20.197.234.75	A (IP address)	IN (0x0001)
Aug 3, 2021 21:14:07.818789959 CEST	8.8.8.8	192.168.2.3	0xa0b0	No error (0)	backupnew.duckdns.org	20.197.234.75	A (IP address)	IN (0x0001)
Aug 3, 2021 21:14:15.644599915 CEST	8.8.8.8	192.168.2.3	0xdf8f	No error (0)	backupnew.duckdns.org	20.197.234.75	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: iGZtra5EaP.exe PID: 5832 Parent PID: 5496

General

Start time:	21:12:07
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\iGZtra5EaP.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\iGZtra5EaP.exe'
Imagebase:	0x950000
File size:	788480 bytes
MD5 hash:	5ABFC84B2A671617A4930A61E218B6C6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.294511650.0000000003CC9000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.294511650.0000000003CC9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.294511650.0000000003CC9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.293558443.0000000002CC1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: schtasks.exe PID: 6008 Parent PID: 5832

General

Start time:	21:12:49
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp3997.tmp'
Imagebase:	0xae0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 5896 Parent PID: 6008

General

Start time:	21:12:50
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iGZtra5EaP.exe PID: 4720 Parent PID: 5832

General

Start time:	21:12:51
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\iGZtra5EaP.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xef0000
File size:	788480 bytes
MD5 hash:	5ABFC84B2A671617A4930A61E218B6C6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.482078580.0000000006E40000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.482078580.0000000006E40000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.476961664.000000000454E000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.476961664.000000000454E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.482179100.0000000006E90000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.482179100.0000000006E90000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.471078718.0000000001AD0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.471078718.0000000001AD0000.00000004.00000001.sdmp, Author: Florian Roth Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.475401082.000000000374C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.481910813.0000000006DB0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.481910813.0000000006DB0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.481995550.0000000006E00000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.481995550.0000000006E00000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.481497763.00000000069D0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.481497763.00000000069D0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.481497763.00000000069D0000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.482020693.0000000006E10000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.482020693.0000000006E10000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.481961618.0000000006DE0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.481961618.0000000006DE0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.481945946.0000000006DD0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.481945946.0000000006DD0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.467302367.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.467302367.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.467302367.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.482036750.0000000006E20000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.482036750.0000000006E20000.00000004.00000001.sdmp, Author: Florian Roth Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.473787584.00000000034F7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.480093816.0000000005EC0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.480093816.0000000005EC0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.482102080.0000000006E50000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.482102080.0000000006E50000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.477941629.00000000048DF000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.477941629.00000000048DF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.480306697.0000000006760000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.480306697.0000000006760000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.476599395.00000000044C9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.476599395.00000000044C9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.476392070.0000000004481000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.476392070.0000000004481000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.481978911.0000000006DF0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.481978911.0000000006DF0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.472713339.0000000003481000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: schtasks.exe PID: 4664 Parent PID: 4720

General

Start time:	21:12:53
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp489A.tmp'
Imagebase:	0xae0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 2588 Parent PID: 4664

General

Start time:	21:12:53
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: schtasks.exe PID: 5556 Parent PID: 4720

General

Start time:	21:12:54
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp4CC2.tmp'
Imagebase:	0xae0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 256 Parent PID: 5556

General

Start time:	21:12:54
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iGZtra5EaP.exe PID: 1288 Parent PID: 528

General

Start time:	21:12:56
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\iGZtra5EaP.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\iGZtra5EaP.exe 0
Imagebase:	0x630000
File size:	788480 bytes
MD5 hash:	5ABFC84B2A671617A4930A61E218B6C6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000011.00000002.398277931.0000000002B51000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.400817271.0000000003B59000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.400817271.0000000003B59000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000011.00000002.400817271.0000000003B59000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: dhcpmon.exe PID: 496 Parent PID: 528

General

Start time:	21:12:57
Start date:	03/08/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Imagebase:	0xc60000
File size:	788480 bytes
MD5 hash:	5ABFC84B2A671617A4930A61E218B6C6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.404628541.0000000004099000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.404628541.0000000004099000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000012.00000002.404628541.0000000004099000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000012.00000002.400511596.0000000003091000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 64%, ReversingLabs
Reputation:	low

Analysis Process: dhcpmon.exe PID: 5756 Parent PID: 3388

General

Start time:	21:13:03
Start date:	03/08/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0xc20000
File size:	788480 bytes
MD5 hash:	5ABFC84B2A671617A4930A61E218B6C6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.412689646.0000000004149000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.412689646.0000000004149000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000014.00000002.412689646.0000000004149000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: schtasks.exe PID: 5044 Parent PID: 1288

General

Start time:	21:13:37
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpF219.tmp'
Imagebase:	0xae0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 5096 Parent PID: 5044

General

Start time:	21:13:38
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iGZtra5EaP.exe PID: 5016 Parent PID: 1288

General

Start time:	21:13:38
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\iGZtra5EaP.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x520000
File size:	788480 bytes
MD5 hash:	5ABFC84B2A671617A4930A61E218B6C6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000002.417862891.0000000002A11000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001B.00000002.417862891.0000000002A11000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000002.415827598.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000002.415827598.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001B.00000002.415827598.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000002.418018556.0000000003A19000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001B.00000002.418018556.0000000003A19000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: schtasks.exe PID: 5004 Parent PID: 496

General

Start time:	21:13:38
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpF5E2.tmp'
Imagebase:	0xae0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 1324 Parent PID: 5004

General

Start time:	21:13:39
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: dhcpmon.exe PID: 3008 Parent PID: 496

General

Start time:	21:13:40
Start date:	03/08/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xb20000
File size:	788480 bytes
MD5 hash:	5ABFC84B2A671617A4930A61E218B6C6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000002.422052368.0000000003011000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001E.00000002.422052368.0000000003011000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001E.00000002.417477798.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000002.417477798.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001E.00000002.417477798.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000002.423536148.0000000004019000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001E.00000002.423536148.0000000004019000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Analysis Process: schtasks.exe PID: 1036 Parent PID: 5756

General

Start time:	21:13:43
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp63D.tmp'
Imagebase:	0xae0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 5072 Parent PID: 1036

General

Start time:	21:13:43
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: dhcpmon.exe PID: 5200 Parent PID: 5756

General

Start time:	21:13:44
Start date:	03/08/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xb10000
File size:	788480 bytes
MD5 hash:	5ABFC84B2A671617A4930A61E218B6C6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000021.00000002.428437498.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000021.00000002.428437498.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000021.00000002.428437498.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000021.00000002.431850871.0000000003FA9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000021.00000002.431850871.0000000003FA9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000021.00000002.431679291.0000000002FA1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000021.00000002.431679291.0000000002FA1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report iGZtra5EaP.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

Stealing of Sensitive Information:

Remote Access Functionality:

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre