Windows Analysis Report credit notification pdf.exe

Overview

General Information

Sample Name:	credit notification pdf.exe
Analysis ID:	509207
MD5:	69d14fb14deeb4bc08a3c47840d1f6fb
SHA1:	2830362d97678edaa8dc6f28a8c555f690101bed
SHA256:	2719fac0d4d5ff10221753f561d70346516d6226a3868c40a9d4c9282f370aa0
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Detected Nanocore Rat

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Writes to foreign memory regions

Machine Learning detection for sample

Allocates memory in foreign processes

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses dynamic DNS services

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to launch a process as a different user

Stores files to the Windows start menu directory

HTTP GET or POST without a user agent

Uses insecure TLS / SSL version for HTTPS connection

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Binary contains a suspicious time stamp

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000016.00000002.563485331.0000000003AF1000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "74fb9edb-82b1-41e4-91bd-7fe787b0", "Group": "gatewayproject", "Domain1": "arkseven702.ddns.net", "Domain2": "arkseven702.ddns.net", "Port": 7727, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for submitted file

Source: credit notification pdf.exe	Virustotal: Detection: 50%			Perma Link
Source: credit notification pdf.exe	ReversingLabs: Detection: 26%

Antivirus / Scanner detection for submitted sample

Source: credit notification pdf.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\a.exe

Avira: detection malicious, Label: HEUR/AGEN.1142630

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\info.exe

Metadefender: Detection: 13%

Perma Link

Yara detected Nanocore RAT

Source: Yara match	File source: 22.2.InstallUtil.exe.3b08a40.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a.exe.43c69a2.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.credit notification pdf.exe.3e7acd0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a.exe.43d9c08.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.credit notification pdf.exe.3e67a6a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.InstallUtil.exe.5000000.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.credit notification pdf.exe.3d6347a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a.exe.4159510.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.InstallUtil.exe.5004629.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.InstallUtil.exe.3b08a40.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.InstallUtil.exe.3af458d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a.exe.427c582.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a.exe.427c582.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.credit notification pdf.exe.3e34eba.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.credit notification pdf.exe.3d1d64a.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a.exe.43d9c08.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.credit notification pdf.exe.3e7acd0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a.exe.42c23b2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.InstallUtil.exe.5000000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.credit notification pdf.exe.3d6347a.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.InstallUtil.exe.3b0d069.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a.exe.4393df2.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a.exe.42c23b2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a.exe.42af132.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a.exe.4393df2.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.credit notification pdf.exe.3e34eba.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.InstallUtil.exe.3c3e1d2.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.InstallUtil.exe.3c1d971.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.credit notification pdf.exe.3d501fa.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.credit notification pdf.exe.3d1d64a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.InstallUtil.exe.3c29ba5.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.568714078.0000000004155000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.552094200.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.560870455.0000000002AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.570615041.0000000004393000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.569259348.0000000004236000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.563485331.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.566701929.0000000005000000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.403105873.0000000003E34000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.401547409.0000000003CD7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.563896291.0000000003B6E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: credit notification pdf.exe PID: 6752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: a.exe PID: 2132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5244, type: MEMORYSTR

Machine Learning detection for sample

Source: credit notification pdf.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\a.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 22.2.InstallUtil.exe.5000000.22.unpack	Avira: Label: TR/NanoCore.fadte
Source: 22.2.InstallUtil.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Uses 32bit PE files

Source: credit notification pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 142.250.203.100:443 -> 192.168.2.3:49743 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 142.250.203.100:443 -> 192.168.2.3:49747 version: TLS 1.0

Source: credit notification pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: mscorlib.pdb source: InstallUtil.exe, 00000016.00000002.555717995.0000000000E57000.00000004.00000020.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: InstallUtil.exe, 00000016.00000002.568660454.0000000006890000.00000004.00020000.sdmp
Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000016.00000000.480677451.00000000006A2000.00000002.00020000.sdmp, dhcpmon.exe, 0000001C.00000002.523179910.0000000000C52000.00000002.00020000.sdmp, dhcpmon.exe.22.dr
Source:	Binary string: orlib.pdb source: InstallUtil.exe, 00000016.00000002.555717995.0000000000E57000.00000004.00000020.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: InstallUtil.exe, 00000016.00000002.568825311.00000000068D0000.00000004.00020000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: InstallUtil.exe, 00000016.00000002.568750621.00000000068B0000.00000004.00020000.sdmp
Source:	Binary string: InstallUtil.pdb source: InstallUtil.exe, dhcpmon.exe, 0000001C.00000002.523179910.0000000000C52000.00000002.00020000.sdmp, dhcpmon.exe.22.dr
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: InstallUtil.exe, 00000016.00000002.568630066.0000000006880000.00000004.00020000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: InstallUtil.exe, 00000016.00000002.568780094.00000000068C0000.00000004.00020000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: InstallUtil.exe, 00000016.00000002.568722361.00000000068A0000.00000004.00020000.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\credit notification pdf.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-6Ch]	1_2_051148F0
Source: C:\Users\user\Desktop\credit notification pdf.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-6Ch]	1_2_051148F0
Source: C:\Users\user\Desktop\credit notification pdf.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-6Ch]	1_2_051148F0
Source: C:\Users\user\Desktop\credit notification pdf.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_05115970
Source: C:\Users\user\Desktop\credit notification pdf.exe	Code function: 4x nop then mov eax, dword ptr [ebp-34h]	1_2_0511A0C9
Source: C:\Users\user\Desktop\credit notification pdf.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_05115960
Source: C:\Users\user\Desktop\credit notification pdf.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	1_2_0669AE80
Source: C:\Users\user\Desktop\credit notification pdf.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	1_2_0669E768
Source: C:\Users\user\Desktop\credit notification pdf.exe	Code function: 4x nop then jmp 06692479h	1_2_06691C00
Source: C:\Users\user\Desktop\credit notification pdf.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	1_2_0669E759
Source: C:\Users\user\Desktop\credit notification pdf.exe	Code function: 4x nop then jmp 06692479h	1_2_06691BE0
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-6Ch]	13_2_055E48E3
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-6Ch]	13_2_055E48E3
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-6Ch]	13_2_055E48E3
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	13_2_055E5960
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 4x nop then mov eax, dword ptr [ebp-34h]	13_2_055EA0C9
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	22_2_0547AA89
Source: C:\Users\user\AppData\Local\Temp\info.exe	Code function: 4x nop then jmp 014C0799h	24_2_014C0560
Source: C:\Users\user\AppData\Local\Temp\info.exe	Code function: 4x nop then jmp 014C0799h	24_2_014C0552
Source: C:\Users\user\AppData\Local\Temp\info.exe	Code function: 4x nop then jmp 008A0799h	25_2_008A0560
Source: C:\Users\user\AppData\Local\Temp\info.exe	Code function: 4x nop then jmp 008A0799h	25_2_008A0555

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: arkseven702.ddns.net

Uses dynamic DNS services

Source: unknown

DNS query: name: arkseven702.ddns.net

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: RHC-HOSTINGGB RHC-HOSTINGGB

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 142.250.203.100:443 -> 192.168.2.3:49743 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 142.250.203.100:443 -> 192.168.2.3:49747 version: TLS 1.0

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49818 -> 212.192.246.88:7727

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747

Source: credit notification pdf.exe, 00000001.00000002.390314546.000000000101B000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: InstallUtil.exe, 00000016.00000002.568780094.00000000068C0000.00000004.00020000.sdmp	String found in binary or memory: http://google.com
Source: credit notification pdf.exe, 00000001.00000002.404595976.00000000069BE000.00000004.00000001.sdmp, a.exe, 0000000D.00000003.405477504.0000000006E8E000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ado/1
Source: credit notification pdf.exe, 00000001.00000003.388077249.00000000069BE000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ado/1:
Source: credit notification pdf.exe, 00000001.00000002.404595976.00000000069BE000.00000004.00000001.sdmp, a.exe, 0000000D.00000003.405477504.0000000006E8E000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g
Source: credit notification pdf.exe, 00000001.00000003.388077249.00000000069BE000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g:
Source: credit notification pdf.exe, 00000001.00000002.404595976.00000000069BE000.00000004.00000001.sdmp, a.exe, 0000000D.00000003.405477504.0000000006E8E000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cobj
Source: credit notification pdf.exe, 00000001.00000003.388077249.00000000069BE000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cobj:
Source: credit notification pdf.exe, 00000001.00000003.288074374.00000000069BE000.00000004.00000001.sdmp	String found in binary or memory: http://ns.d
Source: credit notification pdf.exe, 00000001.00000002.390971058.0000000002BF1000.00000004.00000001.sdmp, a.exe, 0000000D.00000002.561658810.0000000003151000.00000004.00000001.sdmp, InstallUtil.exe, 00000016.00000002.560870455.0000000002AA1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: credit notification pdf.exe	String found in binary or memory: http://tempuri.org/libraryDataSet.xsd
Source: credit notification pdf.exe	String found in binary or memory: http://tempuri.org/libraryDataSet1.xsd
Source: credit notification pdf.exe, 00000001.00000002.390971058.0000000002BF1000.00000004.00000001.sdmp, a.exe, 0000000D.00000002.561658810.0000000003151000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: credit notification pdf.exe	String found in binary or memory: https://www.google.com/

Source: unknown

DNS traffic detected: queries for: www.google.com

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: credit notification pdf.exe, 00000001.00000002.390148602.0000000000FC8000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Installs a raw input device (often for capturing keystrokes)

Source: InstallUtil.exe, 00000016.00000002.563485331.0000000003AF1000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 22.2.InstallUtil.exe.3b08a40.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a.exe.43c69a2.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.credit notification pdf.exe.3e7acd0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a.exe.43d9c08.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.credit notification pdf.exe.3e67a6a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.InstallUtil.exe.5000000.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.credit notification pdf.exe.3d6347a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a.exe.4159510.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.InstallUtil.exe.5004629.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.InstallUtil.exe.3b08a40.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.InstallUtil.exe.3af458d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a.exe.427c582.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a.exe.427c582.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.credit notification pdf.exe.3e34eba.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.credit notification pdf.exe.3d1d64a.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a.exe.43d9c08.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.credit notification pdf.exe.3e7acd0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a.exe.42c23b2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.InstallUtil.exe.5000000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.credit notification pdf.exe.3d6347a.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.InstallUtil.exe.3b0d069.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a.exe.4393df2.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a.exe.42c23b2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a.exe.42af132.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a.exe.4393df2.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.credit notification pdf.exe.3e34eba.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.InstallUtil.exe.3c3e1d2.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.InstallUtil.exe.3c1d971.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.credit notification pdf.exe.3d501fa.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.credit notification pdf.exe.3d1d64a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.InstallUtil.exe.3c29ba5.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.568714078.0000000004155000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.552094200.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.560870455.0000000002AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.570615041.0000000004393000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.569259348.0000000004236000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.563485331.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.566701929.0000000005000000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.403105873.0000000003E34000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.401547409.0000000003CD7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.563896291.0000000003B6E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: credit notification pdf.exe PID: 6752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: a.exe PID: 2132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5244, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Source: 22.2.InstallUtil.exe.3b08a40.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.6950000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.6910000.33.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.691e8a4.34.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.a.exe.43c69a2.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.a.exe.43c69a2.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.credit notification pdf.exe.3e7acd0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.credit notification pdf.exe.3e7acd0.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.InstallUtil.exe.2adc61c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.2adc61c.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.a.exe.43d9c08.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.a.exe.43d9c08.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.credit notification pdf.exe.3e67a6a.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.credit notification pdf.exe.3e67a6a.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.InstallUtil.exe.3de856f.18.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.3c1d971.14.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.2b329d8.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.3de856f.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.3de856f.18.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.InstallUtil.exe.3dff7ce.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.5000000.22.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.6890000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.credit notification pdf.exe.3d6347a.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.credit notification pdf.exe.3d6347a.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.InstallUtil.exe.68b0000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.a.exe.4159510.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.a.exe.4159510.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.InstallUtil.exe.68a0000.27.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.68e0000.31.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.68e0000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.5004629.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.4fc0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.3df139e.17.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.6880000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.3b08a40.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.2aebb6c.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.68a0000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.3af458d.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.a.exe.427c582.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.a.exe.427c582.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.InstallUtil.exe.3c29ba5.15.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.3aa9930.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.5320000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.a.exe.427c582.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.a.exe.427c582.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.credit notification pdf.exe.3e34eba.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.credit notification pdf.exe.3e34eba.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.InstallUtil.exe.68c0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.3dff7ce.16.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.6950000.36.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.credit notification pdf.exe.3d1d64a.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.credit notification pdf.exe.3d1d64a.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.a.exe.43d9c08.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.a.exe.43d9c08.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.InstallUtil.exe.68d0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.credit notification pdf.exe.3e7acd0.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.credit notification pdf.exe.3e7acd0.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.InstallUtil.exe.68d0000.30.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.a.exe.42c23b2.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.a.exe.42c23b2.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.InstallUtil.exe.3aa9930.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.3aae5cf.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.5000000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.68c0000.29.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.6900000.32.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.3df139e.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.2b470ec.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.2b470ec.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.InstallUtil.exe.6910000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.6890000.26.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.3ab81d4.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.credit notification pdf.exe.3d6347a.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.credit notification pdf.exe.3d6347a.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.InstallUtil.exe.5320000.23.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.3b0d069.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.6840000.24.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.6900000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.6914c9f.35.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.2b4cb58.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.2b4cb58.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.a.exe.4393df2.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.a.exe.4393df2.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.a.exe.42c23b2.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.a.exe.42c23b2.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.InstallUtil.exe.6840000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.2b4cb58.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.a.exe.42af132.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.a.exe.42af132.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.InstallUtil.exe.2aebb6c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.a.exe.4393df2.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.a.exe.4393df2.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.credit notification pdf.exe.3e34eba.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.credit notification pdf.exe.3e34eba.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.credit notification pdf.exe.3d1d64a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.2b329d8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.credit notification pdf.exe.3d501fa.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.InstallUtil.exe.3c1d971.14.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.credit notification pdf.exe.3d501fa.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.InstallUtil.exe.3c3e1d2.13.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.InstallUtil.exe.2b329d8.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.credit notification pdf.exe.3d1d64a.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.InstallUtil.exe.3c29ba5.15.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.568953807.0000000006900000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.568722361.00000000068A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.568714078.0000000004155000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.568714078.0000000004155000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.552094200.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.552094200.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.566580432.0000000004FC0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.568437071.0000000006840000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.560870455.0000000002AA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.570615041.0000000004393000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.570615041.0000000004393000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.568983999.0000000006910000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.569259348.0000000004236000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.569259348.0000000004236000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.568825311.00000000068D0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.568780094.00000000068C0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.568853314.00000000068E0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.566701929.0000000005000000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.568750621.00000000068B0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.568660454.0000000006890000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.567267389.0000000005320000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.568630066.0000000006880000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.565257377.0000000003D8C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.569139313.0000000006950000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.403105873.0000000003E34000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.403105873.0000000003E34000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.561123115.0000000002B28000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.401547409.0000000003CD7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.401547409.0000000003CD7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.563896291.0000000003B6E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: credit notification pdf.exe PID: 6752, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: credit notification pdf.exe PID: 6752, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: a.exe PID: 2132, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: a.exe PID: 2132, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: InstallUtil.exe PID: 5244, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Uses 32bit PE files

Source: credit notification pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 22.2.InstallUtil.exe.3b08a40.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.3b08a40.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.6950000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.6950000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.6910000.33.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.6910000.33.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.691e8a4.34.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.691e8a4.34.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.a.exe.43c69a2.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.a.exe.43c69a2.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.a.exe.43c69a2.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.credit notification pdf.exe.3e7acd0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.credit notification pdf.exe.3e7acd0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.credit notification pdf.exe.3e7acd0.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.InstallUtil.exe.2adc61c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.2adc61c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.2adc61c.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.a.exe.43d9c08.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.a.exe.43d9c08.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.a.exe.43d9c08.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.credit notification pdf.exe.3e67a6a.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.credit notification pdf.exe.3e67a6a.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.credit notification pdf.exe.3e67a6a.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.InstallUtil.exe.3de856f.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.3de856f.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.3c1d971.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.3c1d971.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.2b329d8.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.2b329d8.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.3de856f.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.3de856f.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.3de856f.18.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.InstallUtil.exe.3dff7ce.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.3dff7ce.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.5000000.22.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.5000000.22.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.6890000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.6890000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.credit notification pdf.exe.3d6347a.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.credit notification pdf.exe.3d6347a.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.credit notification pdf.exe.3d6347a.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.InstallUtil.exe.68b0000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.68b0000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.a.exe.4159510.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.a.exe.4159510.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.a.exe.4159510.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.InstallUtil.exe.68a0000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.68a0000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.68e0000.31.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.68e0000.31.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.68e0000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.68e0000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.5004629.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.5004629.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.4fc0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.4fc0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.3df139e.17.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.3df139e.17.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.6880000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.6880000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.3b08a40.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.3b08a40.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.2aebb6c.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.2aebb6c.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.68a0000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.68a0000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.3af458d.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.3af458d.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.a.exe.427c582.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.a.exe.427c582.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.InstallUtil.exe.3c29ba5.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.3c29ba5.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.3aa9930.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.3aa9930.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.5320000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.5320000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.a.exe.427c582.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.a.exe.427c582.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.a.exe.427c582.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.credit notification pdf.exe.3e34eba.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.credit notification pdf.exe.3e34eba.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.credit notification pdf.exe.3e34eba.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.InstallUtil.exe.68c0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.68c0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.3dff7ce.16.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.3dff7ce.16.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.6950000.36.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.6950000.36.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.credit notification pdf.exe.3d1d64a.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.credit notification pdf.exe.3d1d64a.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.credit notification pdf.exe.3d1d64a.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.a.exe.43d9c08.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.a.exe.43d9c08.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.a.exe.43d9c08.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.InstallUtil.exe.68d0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.68d0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.credit notification pdf.exe.3e7acd0.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.credit notification pdf.exe.3e7acd0.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.credit notification pdf.exe.3e7acd0.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.InstallUtil.exe.68d0000.30.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.68d0000.30.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.a.exe.42c23b2.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.a.exe.42c23b2.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.a.exe.42c23b2.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.InstallUtil.exe.3aa9930.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.3aa9930.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.3aae5cf.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.3aae5cf.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.5000000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.5000000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.68c0000.29.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.68c0000.29.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.6900000.32.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.6900000.32.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.3df139e.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.3df139e.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.2b470ec.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.2b470ec.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.InstallUtil.exe.6910000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.6910000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.6890000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.6890000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.3ab81d4.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.3ab81d4.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.credit notification pdf.exe.3d6347a.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.credit notification pdf.exe.3d6347a.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.credit notification pdf.exe.3d6347a.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.InstallUtil.exe.5320000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.5320000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.3b0d069.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.3b0d069.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.6840000.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.6840000.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.6900000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.6900000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.6914c9f.35.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.6914c9f.35.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.2b4cb58.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.2b4cb58.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.a.exe.4393df2.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.a.exe.4393df2.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.a.exe.4393df2.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.a.exe.42c23b2.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.a.exe.42c23b2.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.a.exe.42c23b2.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.InstallUtil.exe.6840000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.6840000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.2b4cb58.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.2b4cb58.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.a.exe.42af132.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.a.exe.42af132.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.InstallUtil.exe.2aebb6c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.2aebb6c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.a.exe.4393df2.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.a.exe.4393df2.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.a.exe.4393df2.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.credit notification pdf.exe.3e34eba.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.credit notification pdf.exe.3e34eba.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.credit notification pdf.exe.3e34eba.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.credit notification pdf.exe.3d1d64a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.2b329d8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.credit notification pdf.exe.3d501fa.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.InstallUtil.exe.3c1d971.14.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.credit notification pdf.exe.3d501fa.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.InstallUtil.exe.3c3e1d2.13.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.InstallUtil.exe.2b329d8.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.credit notification pdf.exe.3d1d64a.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.InstallUtil.exe.3c29ba5.15.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000016.00000002.568953807.0000000006900000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000016.00000002.568953807.0000000006900000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000016.00000002.568722361.00000000068A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000016.00000002.568722361.00000000068A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.568714078.0000000004155000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.568714078.0000000004155000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000016.00000002.552094200.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000016.00000002.552094200.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000016.00000002.566580432.0000000004FC0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000016.00000002.566580432.0000000004FC0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000016.00000002.568437071.0000000006840000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000016.00000002.568437071.0000000006840000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000016.00000002.560870455.0000000002AA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.570615041.0000000004393000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.570615041.0000000004393000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000016.00000002.568983999.0000000006910000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000016.00000002.568983999.0000000006910000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.569259348.0000000004236000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.569259348.0000000004236000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000016.00000002.568825311.00000000068D0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000016.00000002.568825311.00000000068D0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000016.00000002.568780094.00000000068C0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000016.00000002.568780094.00000000068C0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000016.00000002.568853314.00000000068E0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000016.00000002.568853314.00000000068E0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000016.00000002.566701929.0000000005000000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000016.00000002.566701929.0000000005000000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000016.00000002.568750621.00000000068B0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000016.00000002.568750621.00000000068B0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000016.00000002.568660454.0000000006890000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000016.00000002.568660454.0000000006890000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000016.00000002.567267389.0000000005320000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000016.00000002.567267389.0000000005320000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000016.00000002.568630066.0000000006880000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000016.00000002.568630066.0000000006880000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000016.00000002.565257377.0000000003D8C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000016.00000002.569139313.0000000006950000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000016.00000002.569139313.0000000006950000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.403105873.0000000003E34000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.403105873.0000000003E34000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000016.00000002.561123115.0000000002B28000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.401547409.0000000003CD7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.401547409.0000000003CD7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000016.00000002.563896291.0000000003B6E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: credit notification pdf.exe PID: 6752, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: credit notification pdf.exe PID: 6752, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: a.exe PID: 2132, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: a.exe PID: 2132, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: InstallUtil.exe PID: 5244, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Detected potential crypto function

Source: C:\Users\user\Desktop\credit notification pdf.exe	Code function: 1_2_051161A0	1_2_051161A0
Source: C:\Users\user\Desktop\credit notification pdf.exe	Code function: 1_2_051175E8	1_2_051175E8
Source: C:\Users\user\Desktop\credit notification pdf.exe	Code function: 1_2_05119958	1_2_05119958
Source: C:\Users\user\Desktop\credit notification pdf.exe	Code function: 1_2_0511FAB0	1_2_0511FAB0
Source: C:\Users\user\Desktop\credit notification pdf.exe	Code function: 1_2_05116160	1_2_05116160
Source: C:\Users\user\Desktop\credit notification pdf.exe	Code function: 1_2_0511E8E8	1_2_0511E8E8
Source: C:\Users\user\Desktop\credit notification pdf.exe	Code function: 1_2_06691C00	1_2_06691C00
Source: C:\Users\user\Desktop\credit notification pdf.exe	Code function: 1_2_066900C8	1_2_066900C8
Source: C:\Users\user\Desktop\credit notification pdf.exe	Code function: 1_2_066924A0	1_2_066924A0
Source: C:\Users\user\Desktop\credit notification pdf.exe	Code function: 1_2_06692490	1_2_06692490
Source: C:\Users\user\Desktop\credit notification pdf.exe	Code function: 1_2_06693B00	1_2_06693B00
Source: C:\Users\user\Desktop\credit notification pdf.exe	Code function: 1_2_06693B10	1_2_06693B10
Source: C:\Users\user\Desktop\credit notification pdf.exe	Code function: 1_2_0669B828	1_2_0669B828
Source: C:\Users\user\Desktop\credit notification pdf.exe	Code function: 1_2_0669B838	1_2_0669B838
Source: C:\Users\user\Desktop\credit notification pdf.exe	Code function: 1_2_066900B8	1_2_066900B8
Source: C:\Users\user\Desktop\credit notification pdf.exe	Code function: 1_2_0669C901	1_2_0669C901
Source: C:\Users\user\Desktop\credit notification pdf.exe	Code function: 1_2_0669C910	1_2_0669C910
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 13_2_07741168	13_2_07741168
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 13_2_07741898	13_2_07741898
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 13_2_07742F38	13_2_07742F38
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 13_2_077363AB	13_2_077363AB
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 13_2_07742AC0	13_2_07742AC0
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 13_2_077348A2	13_2_077348A2
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 13_2_055E61A0	13_2_055E61A0
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 13_2_055E75E8	13_2_055E75E8
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 13_2_055E9958	13_2_055E9958
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 13_2_055E6160	13_2_055E6160
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 13_2_055EE8E8	13_2_055EE8E8
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 22_2_006A20B0	22_2_006A20B0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 22_2_06962588	22_2_06962588
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 22_2_069546D3	22_2_069546D3
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 22_2_069542EB	22_2_069542EB
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 22_2_069635A8	22_2_069635A8
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 22_2_06953324	22_2_06953324
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 22_2_0109E471	22_2_0109E471
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 22_2_0109E480	22_2_0109E480
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 22_2_0109BBD4	22_2_0109BBD4
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 22_2_02A39788	22_2_02A39788
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 22_2_02A3F5F8	22_2_02A3F5F8
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 22_2_02A3A610	22_2_02A3A610
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 22_2_0547EE08	22_2_0547EE08
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 22_2_0547FA20	22_2_0547FA20
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 22_2_05477C18	22_2_05477C18
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 22_2_05478830	22_2_05478830
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 22_2_054788EE	22_2_054788EE
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 22_2_0547FADE	22_2_0547FADE

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Roaming\a.exe

Code function: 13_2_0774364C CreateProcessAsUserW,

13_2_0774364C

Sample file is different than original file name gathered from version info

Source: credit notification pdf.exe, 00000001.00000002.404036875.00000000064A0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameSHCore1.dll0 vs credit notification pdf.exe
Source: credit notification pdf.exe, 00000001.00000002.391072891.0000000002C9D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAstronot plart.exe> vs credit notification pdf.exe
Source: credit notification pdf.exe, 00000001.00000002.389730181.0000000000938000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamePI345683 pdf.exeH vs credit notification pdf.exe
Source: credit notification pdf.exe, 00000001.00000002.390148602.0000000000FC8000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs credit notification pdf.exe
Source: credit notification pdf.exe	Binary or memory string: OriginalFilenamePI345683 pdf.exeH vs credit notification pdf.exe

Source: credit notification pdf.exe	Virustotal: Detection: 50%
Source: credit notification pdf.exe	ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\credit notification pdf.exe

File read: C:\Users\user\Desktop\credit notification pdf.exe

Source: unknown	Process created: C:\Users\user\Desktop\credit notification pdf.exe 'C:\Users\user\Desktop\credit notification pdf.exe'
Source: C:\Users\user\Desktop\credit notification pdf.exe	Process created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe'
Source: C:\Users\user\AppData\Roaming\a.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
Source: C:\Users\user\AppData\Roaming\a.exe	Process created: C:\Users\user\AppData\Local\Temp\info.exe 'C:\Users\user\AppData\Local\Temp\info.exe'
Source: C:\Users\user\AppData\Local\Temp\info.exe	Process created: C:\Users\user\AppData\Local\Temp\info.exe 'C:\Users\user\AppData\Local\Temp\info.exe'
Source: C:\Users\user\AppData\Roaming\a.exe	Process created: C:\Users\user\AppData\Local\Temp\info.exe 'C:\Users\user\AppData\Local\Temp\info.exe'
Source: C:\Users\user\AppData\Local\Temp\info.exe	Process created: C:\Users\user\AppData\Local\Temp\info.exe 'C:\Users\user\AppData\Local\Temp\info.exe'
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\a.exe	Process created: C:\Users\user\AppData\Local\Temp\info.exe 'C:\Users\user\AppData\Local\Temp\info.exe'
Source: C:\Users\user\AppData\Local\Temp\info.exe	Process created: C:\Users\user\AppData\Local\Temp\info.exe 'C:\Users\user\AppData\Local\Temp\info.exe'
Source: C:\Users\user\AppData\Roaming\a.exe	Process created: C:\Users\user\AppData\Local\Temp\info.exe 'C:\Users\user\AppData\Local\Temp\info.exe'
Source: C:\Users\user\AppData\Local\Temp\info.exe	Process created: C:\Users\user\AppData\Local\Temp\info.exe 'C:\Users\user\AppData\Local\Temp\info.exe'
Source: C:\Users\user\AppData\Roaming\a.exe	Process created: C:\Users\user\AppData\Local\Temp\info.exe 'C:\Users\user\AppData\Local\Temp\info.exe'
Source: C:\Users\user\Desktop\credit notification pdf.exe	Process created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process created: C:\Users\user\AppData\Local\Temp\info.exe 'C:\Users\user\AppData\Local\Temp\info.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process created: C:\Users\user\AppData\Local\Temp\info.exe 'C:\Users\user\AppData\Local\Temp\info.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process created: C:\Users\user\AppData\Local\Temp\info.exe 'C:\Users\user\AppData\Local\Temp\info.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process created: C:\Users\user\AppData\Local\Temp\info.exe 'C:\Users\user\AppData\Local\Temp\info.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process created: C:\Users\user\AppData\Local\Temp\info.exe 'C:\Users\user\AppData\Local\Temp\info.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\info.exe	Process created: C:\Users\user\AppData\Local\Temp\info.exe 'C:\Users\user\AppData\Local\Temp\info.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\info.exe	Process created: C:\Users\user\AppData\Local\Temp\info.exe 'C:\Users\user\AppData\Local\Temp\info.exe'
Source: C:\Users\user\AppData\Local\Temp\info.exe	Process created: C:\Users\user\AppData\Local\Temp\info.exe 'C:\Users\user\AppData\Local\Temp\info.exe'
Source: C:\Users\user\AppData\Local\Temp\info.exe	Process created: C:\Users\user\AppData\Local\Temp\info.exe 'C:\Users\user\AppData\Local\Temp\info.exe'

Source: credit notification pdf.exe, a.exe	Binary or memory string: INSERT INTO [dbo].[books] ([bnum], [bname], [authorName], [numberOfCopies]) VALUES (@bnum, @bname, @authorName, @numberOfCopies);
Source: credit notification pdf.exe, a.exe	Binary or memory string: INSERT INTO [dbo].[leactureliblogin] ([luserid], [lname], [lpassword], [borrow]) VALUES (@luserid, @lname, @lpassword, @borrow);
Source: credit notification pdf.exe, a.exe	Binary or memory string: INSERT INTO [dbo].[login] ([uname], [pwd], [post], [permission]) VALUES (@uname, @pwd, @post, @permission); SELECT uname, pwd, po

Source: C:\Users\user\Desktop\credit notification pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\info.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\info.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\info.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\info.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\info.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\info.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\info.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\info.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{74fb9edb-82b1-41e4-91bd-7fe787b0bbad}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6828:120:WilError_01

Source: C:\Users\user\Desktop\credit notification pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\credit notification pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\credit notification pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: credit notification pdf.exe, Ce2/Pr3.cs	.Net Code: Co1e System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: a.exe.1.dr, Ce2/Pr3.cs	.Net Code: Co1e System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 1.2.credit notification pdf.exe.5d0000.0.unpack, Ce2/Pr3.cs	.Net Code: Co1e System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 1.0.credit notification pdf.exe.5d0000.0.unpack, Ce2/Pr3.cs	.Net Code: Co1e System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 13.0.a.exe.aa0000.0.unpack, Ce2/Pr3.cs	.Net Code: Co1e System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 13.2.a.exe.aa0000.0.unpack, Ce2/Pr3.cs	.Net Code: Co1e System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Users\user\Desktop\credit notification pdf.exe	Code function: 1_2_06697BE1 push ss; iretd	1_2_06697BE2
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 13_2_07734B71 push es; iretd	13_2_07735094
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 13_2_077305E6 pushfd ; iretd	13_2_07730613
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 13_2_07730A2A push ds; ret	13_2_07730A51
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 13_2_07734E9A push es; iretd	13_2_07735094
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 22_2_02A369F8 pushad ; retf	22_2_02A369F9

Source: info.exe.13.dr, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.cs	High entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
Source: info.exe.13.dr, Astronotplart/gabKErPURPS76kDKjrme.cs	High entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
Source: info.exe.13.dr, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.cs	High entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
Source: info.exe.13.dr, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.cs	High entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
Source: info.exe.13.dr, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.cs	High entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'

Source: C:\Users\user\AppData\Roaming\a.exe	File created: C:\Users\user\AppData\Local\Temp\info.exe	Jump to dropped file
Source: C:\Users\user\Desktop\credit notification pdf.exe	File created: C:\Users\user\AppData\Roaming\a.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\credit notification pdf.exe	File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Jump to dropped file

Source: C:\Users\user\Desktop\credit notification pdf.exe	File opened: C:\Users\user\Desktop\credit notification pdf.exe\:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	File opened: C:\Users\user\AppData\Roaming\a.exe\:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Users\user\Desktop\credit notification pdf.exe TID: 4000	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\credit notification pdf.exe TID: 4000	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\credit notification pdf.exe TID: 6340	Thread sleep count: 610 > 30	Jump to behavior
Source: C:\Users\user\Desktop\credit notification pdf.exe TID: 6340	Thread sleep count: 9256 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe TID: 6196	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe TID: 6196	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe TID: 6212	Thread sleep count: 1310 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe TID: 6212	Thread sleep count: 8536 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5732	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\info.exe TID: 5116	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\info.exe TID: 4024	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6964	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\info.exe TID: 7068	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\info.exe TID: 7140	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\credit notification pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\info.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\info.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\info.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\info.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\credit notification pdf.exe	Window / User API: threadDelayed 610	Jump to behavior
Source: C:\Users\user\Desktop\credit notification pdf.exe	Window / User API: threadDelayed 9256	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Window / User API: threadDelayed 1310	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Window / User API: threadDelayed 8536	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Window / User API: threadDelayed 3757	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Window / User API: threadDelayed 5057	Jump to behavior

Source: credit notification pdf.exe	Binary or memory string: IHGFSD
Source: a.exe, 0000000D.00000003.501435848.00000000068C8000.00000004.00000001.sdmp	Binary or memory string: en_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53
Source: credit notification pdf.exe, 00000001.00000002.390314546.000000000101B000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo
Source: credit notification pdf.exe, 00000001.00000002.404640688.0000000006AC0000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: InstallUtil.exe, 00000016.00000002.556174680.0000000000EA7000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\credit notification pdf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\info.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\info.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\info.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\info.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\info.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\info.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\info.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\info.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\a.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 420000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 422000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 9EE008	Jump to behavior

Source: InstallUtil.exe, 00000016.00000002.561429327.0000000002C34000.00000004.00000001.sdmp	Binary or memory string: Program Manager(
Source: a.exe, 0000000D.00000002.561462538.0000000001B50000.00000002.00020000.sdmp, InstallUtil.exe, 00000016.00000002.561279675.0000000002BEF000.00000004.00000001.sdmp, info.exe, 00000019.00000002.556464180.0000000001000000.00000002.00020000.sdmp, info.exe, 0000001B.00000002.557056244.0000000001C40000.00000002.00020000.sdmp, info.exe, 0000001F.00000002.556640440.0000000001850000.00000002.00020000.sdmp, info.exe, 00000022.00000002.555643619.00000000016C0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: a.exe, 0000000D.00000002.561462538.0000000001B50000.00000002.00020000.sdmp, InstallUtil.exe, 00000016.00000002.560313310.0000000001500000.00000002.00020000.sdmp, info.exe, 00000019.00000002.556464180.0000000001000000.00000002.00020000.sdmp, info.exe, 0000001B.00000002.557056244.0000000001C40000.00000002.00020000.sdmp, info.exe, 0000001F.00000002.556640440.0000000001850000.00000002.00020000.sdmp, info.exe, 00000022.00000002.555643619.00000000016C0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: a.exe, 0000000D.00000002.561462538.0000000001B50000.00000002.00020000.sdmp, InstallUtil.exe, 00000016.00000002.560313310.0000000001500000.00000002.00020000.sdmp, info.exe, 00000019.00000002.556464180.0000000001000000.00000002.00020000.sdmp, info.exe, 0000001B.00000002.557056244.0000000001C40000.00000002.00020000.sdmp, info.exe, 0000001F.00000002.556640440.0000000001850000.00000002.00020000.sdmp, info.exe, 00000022.00000002.555643619.00000000016C0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: InstallUtil.exe, 00000016.00000002.567682803.0000000005E7C000.00000004.00000010.sdmp	Binary or memory string: Program Managerram Manager
Source: a.exe, 0000000D.00000002.561462538.0000000001B50000.00000002.00020000.sdmp, InstallUtil.exe, 00000016.00000002.560313310.0000000001500000.00000002.00020000.sdmp, info.exe, 00000019.00000002.556464180.0000000001000000.00000002.00020000.sdmp, info.exe, 0000001B.00000002.557056244.0000000001C40000.00000002.00020000.sdmp, info.exe, 0000001F.00000002.556640440.0000000001850000.00000002.00020000.sdmp, info.exe, 00000022.00000002.555643619.00000000016C0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: InstallUtil.exe, 00000016.00000002.567718249.0000000005FBD000.00000004.00000010.sdmp	Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\credit notification pdf.exe	Queries volume information: C:\Users\user\Desktop\credit notification pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\credit notification pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\credit notification pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\credit notification pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\credit notification pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\credit notification pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Queries volume information: C:\Users\user\AppData\Roaming\a.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\info.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\info.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\info.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\info.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\info.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\info.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\info.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\info.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\info.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\info.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\info.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\info.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\info.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\info.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\info.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\info.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\info.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\info.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\info.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\info.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\info.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\info.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\info.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\info.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Source: credit notification pdf.exe, 00000001.00000002.403105873.0000000003E34000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: a.exe, 0000000D.00000002.568714078.0000000004155000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: InstallUtil.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: InstallUtil.exe, 00000016.00000002.560870455.0000000002AA1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: InstallUtil.exe, 00000016.00000002.568722361.00000000068A0000.00000004.00020000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: InstallUtil.exe, 00000016.00000002.568825311.00000000068D0000.00000004.00020000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: InstallUtil.exe, 00000016.00000002.568750621.00000000068B0000.00000004.00020000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: InstallUtil.exe, 00000016.00000002.568630066.0000000006880000.00000004.00020000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3

Windows Analysis Report credit notification pdf.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
212.192.246.88	arkseven702.ddns.net	Russian Federation		205220	RHC-HOSTINGGB	true
142.250.203.100	www.google.com	United States		15169	GOOGLEUS	false

Name	Malicious	Antivirus Detection	Reputation
arkseven702.ddns.net	true	Avira URL Cloud: safe	unknown
https://www.google.com/	false		high

ID:	509207
Product:	CloudBasic
Start time:	08:40:16
Start date:	26.10.2021
Sample:	credit notification pdf.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	69d14fb14deeb4bc08a3c47840d1f6fb
SHA1:	2830362d97678edaa8dc6f28a8c555f690101bed
SHA256:	2719fac0d4d5ff10221753f561d70346516d6226a3868c40a9d4c9282f370aa0
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	EFEC8C379D165E3F33B536739AEE26A3	C875908ACBA5CAC1E0B40F06A83F0F156A2640FA	46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\credit notification pdf.exe.log	ASCII text, with CRLF line terminators	379135DE3C31F3A766187BD9B6C730C9	BEFFE8BDE231861A3FD901A12F51523399B9A5E7	BDE88F5C7F95E26FFC5EBE86C38AE61E78E0A5AA932A83DE00F2A46DB24DD22D
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log	ASCII text, with CRLF line terminators	CEE81B7EB08EE82CFE49E47B81B50D1A	4746C7068BD50E3309BFFDBE8983B8F27D834DFD	B9A90255691E7C9D3CCBD27D00FC514DDD6087446D8DB03335CEF1B5634CC460
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\info.exe.log	ASCII text, with CRLF line terminators	1249251E90A1C28AB8F7235F30056DEB	166BA6B64E9B0D9BA7B856334F7D7EC027030BA1	B5D65BF3581136CD5368BC47FA3972E06F526EED407BC6571D11D9CD4B5C4D83
C:\Users\user\AppData\Local\Temp\InstallUtil.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	EFEC8C379D165E3F33B536739AEE26A3	C875908ACBA5CAC1E0B40F06A83F0F156A2640FA	46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
C:\Users\user\AppData\Local\Temp\info.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	0E362E7005823D0BEC3719B902ED6D62	590D860B909804349E0CDC2F1662B37BD62F7463	2D0DC6216F613AC7551A7E70A798C22AEE8EB9819428B1357E2B8C73BEF905AD
C:\Users\user\AppData\Local\Temp\info.txt	ASCII text, with CRLF line terminators	4CDF1925CBBA887A3E919B214E192B58	853966C0160C46010589FB37003180A73A9BCC91	622F2BB826FF16A2F240B5A7E2A46731BA46AC29C40A33FC485728673B294A36
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat	data	32D0AAE13696FF7F8AF33B2D22451028	EF80C4E0DB2AE8EF288027C9D3518E6950B583A4	5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat	Non-ISO extended-ASCII text, with no line terminators	1435CA1E07983A5C01FBB9E339097669	7CAB9CFFC29B3F80436F15899B0C838E0B2D27E3	08C05803FD903EBE8550D35861A5D89FC3BDF9BE4A0A79A9FC2EDF25F6566BD4
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin	data	4E5E92E2369688041CC82EF9650EDED2	15E44F2F3194EE232B44E9684163B6F66472C862	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat	data	7E8F4A764B981D5B82D1CC49D341E9C6	D9F0685A028FB219E1A6286AEFB7D6FCFC778B85	0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnk	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide	C43C60D569FA0C256C556082126497D4	A3206A53ECCC894E6F1F7037ECB395A91EDEFF54	E9F08DB61FE3C57BF38D637B3601487358AE827DC032B03F37CDA9F8551AF7F6
C:\Users\user\AppData\Roaming\a.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	69D14FB14DEEB4BC08A3C47840D1F6FB	2830362D97678EDAA8DC6F28A8C555F690101BED	2719FAC0D4D5FF10221753F561D70346516D6226A3868C40A9D4C9282F370AA0
C:\Users\user\AppData\Roaming\a.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
\Device\ConDrv	ASCII text, with CRLF line terminators	9C305D95E7DA8FCA9651F7F426BB25BC	FDB5C18C26CF5B83EF5DC297C0F9CEBEF6A97FFC	444F71CF504D22F0EE88024D61501D3B79AE5D1AFD521E72499F325F6B0B82BE