Windows Analysis Report filedata

Overview

General Information

Sample Name: filedata (renamed file extension from none to exe)
Analysis ID: 552947
MD5: 2ce21c68e4d03f35248689663dc820de
SHA1: 5963d9d448d322cb49f4dee613734fe030131c11
SHA256: 93d545c83fa462035ae0c2aa0036db008fc4bdf3d10ec89c6f0b6699b09c6fbf
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Detected Nanocore Rat
Yara detected Nanocore RAT
Detected unpacking (creates a PE file in dynamic memory)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses dynamic DNS services
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 5.2.filedata.exe.383df59.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.4bc0000.32.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.3b6aac9.26.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.3613258.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.37e3258.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.47c0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.3690e54.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.filedata.exe.23b1458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.chmac.exe.3180000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.6d7f68.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.4810000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.chmac.exe.32d1458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.filedata.exe.23a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.4bc4629.31.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.3839930.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.4920000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.4920000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.37da822.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.3839930.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.chmac.exe.3180000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.23b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.3613258.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.37df658.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.3860e54.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.filedata.exe.23b1458.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.1.filedata.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.3b664a0.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.1.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.369547d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.368c01e.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.37e3c81.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.3860e54.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.3690e54.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.37df658.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.47c0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.6347a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.385c01e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.37e3258.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.chmac.exe.32c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.chmac.exe.32c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.386547d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.chmac.exe.32d1458.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.23f0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.6d7f68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.4960000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.4bc0000.32.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.chmac.exe.3191458.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.chmac.exe.3191458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.3b664a0.28.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.23b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.624448.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.1.filedata.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.filedata.exe.23a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.3b6166a.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.624448.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.6347a8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.361160585.0000000004920000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.298557071.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.561118810.00000000023B0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.361229829.0000000004962000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.327164969.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.360739917.00000000006C4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.561439821.00000000027A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.297190479.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000001.343397650.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.360475057.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.330799074.00000000032C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.345221899.000000000364A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.561228467.00000000023F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.342661979.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.562570219.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.345524498.00000000047C0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000001.328667049.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.556140287.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.345668628.0000000004812000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.300538390.00000000023A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.345117243.0000000003611000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.344185437.0000000000627000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.562144773.00000000037D5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.361051688.000000000381A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.563083334.0000000004BC0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.343717430.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000001.299308522.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.341500174.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.562195683.0000000003832000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.325598662.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.345786625.0000000003180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.559328771.0000000000614000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.361014751.00000000037E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: filedata.exe PID: 6760, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: filedata.exe PID: 6220, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: chmac.exe PID: 2812, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: chmac.exe PID: 6352, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: chmac.exe PID: 4476, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: chmac.exe PID: 6968, type: MEMORYSTR
Antivirus or Machine Learning detection for unpacked file
Source: 5.0.filedata.exe.400000.2.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.2.filedata.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.1.chmac.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.2.filedata.exe.4bc0000.32.unpack Avira: Label: TR/NanoCore.fadte
Source: 11.0.chmac.exe.400000.2.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.2.chmac.exe.4810000.9.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.1.chmac.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.0.chmac.exe.400000.3.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.0.chmac.exe.400000.6.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.0.filedata.exe.400000.4.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.0.chmac.exe.400000.8.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.0.chmac.exe.400000.4.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.0.filedata.exe.400000.1.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.2.chmac.exe.400000.1.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.0.chmac.exe.400000.1.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.0.chmac.exe.400000.2.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.0.chmac.exe.400000.5.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.0.filedata.exe.400000.5.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.0.chmac.exe.400000.1.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.0.chmac.exe.400000.5.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.0.filedata.exe.400000.6.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.0.filedata.exe.400000.3.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.2.filedata.exe.23f0000.4.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.0.chmac.exe.400000.8.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.0.chmac.exe.400000.4.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.2.chmac.exe.4960000.9.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.0.filedata.exe.400000.8.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.0.chmac.exe.400000.6.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.1.filedata.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.2.filedata.exe.3220000.4.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.2.chmac.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.0.chmac.exe.400000.3.unpack Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Unpacked PE file: 8.2.chmac.exe.4810000.9.unpack
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Unpacked PE file: 11.2.chmac.exe.4960000.9.unpack
Uses 32bit PE files
Source: filedata.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\filedata.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: filedata.exe, 00000005.00000002.561407999.0000000002457000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdb source: filedata.exe, 00000005.00000002.561407999.0000000002457000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: filedata.exe, 00000005.00000002.561407999.0000000002457000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdbUGP source: filedata.exe, 00000001.00000003.295655052.00000000036B0000.00000004.00000001.sdmp, filedata.exe, 00000001.00000003.295324951.0000000003520000.00000004.00000001.sdmp, chmac.exe, 00000007.00000003.324632058.00000000034A0000.00000004.00000001.sdmp, chmac.exe, 00000007.00000003.323875140.0000000003310000.00000004.00000001.sdmp, chmac.exe, 00000009.00000003.339932076.00000000031E0000.00000004.00000001.sdmp, chmac.exe, 00000009.00000003.343022774.0000000003370000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: filedata.exe, 00000005.00000002.563438389.00000000053B0000.00000004.00020000.sdmp, filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: filedata.exe, 00000001.00000003.295655052.00000000036B0000.00000004.00000001.sdmp, filedata.exe, 00000001.00000003.295324951.0000000003520000.00000004.00000001.sdmp, chmac.exe, 00000007.00000003.324632058.00000000034A0000.00000004.00000001.sdmp, chmac.exe, 00000007.00000003.323875140.0000000003310000.00000004.00000001.sdmp, chmac.exe, 00000009.00000003.339932076.00000000031E0000.00000004.00000001.sdmp, chmac.exe, 00000009.00000003.343022774.0000000003370000.00000004.00000001.sdmp
Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: filedata.exe, 00000005.00000002.561407999.0000000002457000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: filedata.exe, 00000005.00000002.561407999.0000000002457000.00000004.00000040.sdmp
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: filedata.exe, 00000005.00000002.563590904.00000000053D0000.00000004.00020000.sdmp, filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.563890986.0000000005400000.00000004.00020000.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.563389843.0000000005390000.00000004.00020000.sdmp, filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.563764546.00000000053F0000.00000004.00020000.sdmp, filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: filedata.exe, 00000005.00000002.561407999.0000000002457000.00000004.00000040.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: filedata.exe, 00000005.00000002.563662225.00000000053E0000.00000004.00020000.sdmp, filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_00405D7C FindFirstFileA,FindClose, 1_2_00405D7C
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 1_2_004053AA
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_00402630 FindFirstFileA, 1_2_00402630
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_00404A29 FindFirstFileExW, 5_2_00404A29
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 8_2_00404A29 FindFirstFileExW, 8_2_00404A29
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 8_1_00404A29 FindFirstFileExW, 8_1_00404A29
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_00405D7C FindFirstFileA,FindClose, 9_2_00405D7C
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 9_2_004053AA
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_00402630 FindFirstFileA, 9_2_00402630

Networking:

barindex
Uses dynamic DNS services
Source: unknown DNS query: name: boyhome5100.duckdns.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49745 -> 194.5.98.28:5100
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.563764546.00000000053F0000.00000004.00020000.sdmp, filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp String found in binary or memory: http://google.com
Source: chmac.exe, chmac.exe, 00000009.00000002.343865229.0000000000409000.00000004.00020000.sdmp, chmac.exe, 00000009.00000000.325806188.0000000000409000.00000008.00020000.sdmp, chmac.exe, 0000000B.00000000.331021791.0000000000409000.00000008.00020000.sdmp, filedata.exe, chmac.exe.1.dr String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: filedata.exe, chmac.exe.1.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: unknown DNS traffic detected: queries for: boyhome5100.duckdns.org
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_04A22E42 WSARecv, 5_2_04A22E42

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: filedata.exe, 00000001.00000002.300161005.00000000006FA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a raw input device (often for capturing keystrokes)
Source: filedata.exe, 00000005.00000002.562570219.0000000003B61000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 1_2_00404F61

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 5.2.filedata.exe.383df59.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.4bc0000.32.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.3b6aac9.26.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.3613258.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.37e3258.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.47c0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.3690e54.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.filedata.exe.23b1458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.chmac.exe.3180000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.6d7f68.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.4810000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.chmac.exe.32d1458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.filedata.exe.23a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.4bc4629.31.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.3839930.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.4920000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.4920000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.37da822.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.3839930.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.chmac.exe.3180000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.23b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.3613258.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.37df658.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.3860e54.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.filedata.exe.23b1458.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.1.filedata.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.3b664a0.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.1.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.369547d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.368c01e.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.37e3c81.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.3860e54.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.3690e54.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.37df658.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.47c0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.6347a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.385c01e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.37e3258.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.chmac.exe.32c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.chmac.exe.32c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.386547d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.chmac.exe.32d1458.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.23f0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.6d7f68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.4960000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.4bc0000.32.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.chmac.exe.3191458.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.chmac.exe.3191458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.3b664a0.28.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.23b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.624448.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.1.filedata.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.filedata.exe.23a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.3b6166a.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.624448.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.6347a8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.361160585.0000000004920000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.298557071.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.561118810.00000000023B0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.361229829.0000000004962000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.327164969.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.360739917.00000000006C4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.561439821.00000000027A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.297190479.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000001.343397650.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.360475057.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.330799074.00000000032C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.345221899.000000000364A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.561228467.00000000023F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.342661979.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.562570219.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.345524498.00000000047C0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000001.328667049.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.556140287.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.345668628.0000000004812000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.300538390.00000000023A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.345117243.0000000003611000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.344185437.0000000000627000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.562144773.00000000037D5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.361051688.000000000381A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.563083334.0000000004BC0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.343717430.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000001.299308522.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.341500174.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.562195683.0000000003832000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.325598662.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.345786625.0000000003180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.559328771.0000000000614000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.361014751.00000000037E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: filedata.exe PID: 6760, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: filedata.exe PID: 6220, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: chmac.exe PID: 2812, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: chmac.exe PID: 6352, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: chmac.exe PID: 4476, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: chmac.exe PID: 6968, type: MEMORYSTR

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.filedata.exe.5370000.34.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.383df59.19.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.4bc0000.32.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.3b6aac9.26.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.5450000.43.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.53f0000.39.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.3613258.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.3613258.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.chmac.exe.37e3258.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.chmac.exe.37e3258.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.chmac.exe.47c0000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.47c0000.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.chmac.exe.3690e54.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.filedata.exe.23b1458.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.filedata.exe.23b1458.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.2970224.9.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.2970224.9.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.filedata.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.filedata.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.chmac.exe.2806888.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.284528c.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.284528c.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.37a3248.13.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.chmac.exe.3180000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.chmac.exe.3180000.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.chmac.exe.6d7f68.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.chmac.exe.6d7f68.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.3a867ea.23.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.3a867ea.23.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.2830c24.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.4810000.9.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.4810000.9.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.chmac.exe.32d1458.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.chmac.exe.32d1458.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.3a721bd.24.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.chmac.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.chmac.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.545e8a4.44.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.29848a8.10.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.29848a8.10.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.5400000.40.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.filedata.exe.23a0000.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.filedata.exe.23a0000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.chmac.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.chmac.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.5454c9f.45.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.4bc4629.31.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.28249b0.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.28249b0.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.3839930.18.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.chmac.exe.4920000.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.chmac.exe.4920000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.filedata.exe.415058.9.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.filedata.exe.415058.9.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.chmac.exe.4920000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.chmac.exe.4920000.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.filedata.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.filedata.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.37da822.17.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.37da822.17.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.53e0000.38.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.3839930.18.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.chmac.exe.3180000.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.chmac.exe.3180000.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.23b0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.23b0000.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.chmac.exe.3613258.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.3613258.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.37df658.16.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.37df658.16.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.chmac.exe.3860e54.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.filedata.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.filedata.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.filedata.exe.23b1458.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.filedata.exe.23b1458.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.37b1aec.14.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.5480000.46.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.1.filedata.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.1.filedata.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.3b664a0.28.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.1.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.1.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.3943e92.20.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.27b154c.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.5420000.41.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.chmac.exe.369547d.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.368c01e.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.368c01e.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.4bb0000.30.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.53f0000.39.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.53b0000.36.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.2963f94.11.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.2963f94.11.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.filedata.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.filedata.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.3948b31.21.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.37e3c81.15.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.37e3c81.15.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.3a65f89.25.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.chmac.exe.3860e54.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.3690e54.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.37df658.16.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.393ac5e.22.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.filedata.exe.415058.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.filedata.exe.415058.7.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.chmac.exe.47c0000.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.47c0000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.37a3248.13.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.6347a8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.6347a8.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.4a30000.29.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.chmac.exe.385c01e.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.chmac.exe.385c01e.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.53e0000.38.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.chmac.exe.37e3258.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.chmac.exe.37e3258.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.chmac.exe.32c0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.chmac.exe.32c0000.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.filedata.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.filedata.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.chmac.exe.32c0000.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.chmac.exe.32c0000.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.chmac.exe.386547d.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.filedata.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.filedata.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.53d0000.37.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.5420000.41.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.5440000.42.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.53b0000.36.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.chmac.exe.32d1458.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.chmac.exe.32d1458.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.5440000.42.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.filedata.exe.415058.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.filedata.exe.415058.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.5480000.46.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.2970224.9.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.23f0000.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.23f0000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.3a721bd.24.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.3a721bd.24.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.filedata.exe.415058.9.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.filedata.exe.415058.9.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.2830c24.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.2830c24.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.2963f94.11.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.chmac.exe.6d7f68.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.chmac.exe.6d7f68.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.filedata.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.filedata.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.chmac.exe.4960000.9.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.chmac.exe.4960000.9.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.4bc0000.32.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.filedata.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.filedata.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.5400000.40.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.28249b0.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.5450000.43.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.2636888.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.chmac.exe.3191458.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.chmac.exe.3191458.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.393ac5e.22.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.chmac.exe.3191458.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.chmac.exe.3191458.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.3b664a0.28.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.3a65f89.25.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.3a65f89.25.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.23b0000.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.23b0000.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.4a30000.29.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.624448.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.624448.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.37a7ee7.12.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.5370000.34.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.3943e92.20.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.5390000.35.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.1.filedata.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.1.filedata.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.filedata.exe.23a0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.filedata.exe.23a0000.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.3b6166a.27.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.3b6166a.27.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.chmac.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.chmac.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.624448.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.624448.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.chmac.exe.6347a8.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.6347a8.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.361160585.0000000004920000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.361160585.0000000004920000.00000004.00020000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000000.298557071.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000000.298557071.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.561118810.00000000023B0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.561118810.00000000023B0000.00000004.00020000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.563662225.00000000053E0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.361229829.0000000004962000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.361229829.0000000004962000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000000.327164969.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000000.327164969.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.360739917.00000000006C4000.00000004.00000020.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.360739917.00000000006C4000.00000004.00000020.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.564073879.0000000005420000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000000.297190479.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000000.297190479.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.562912360.0000000004A30000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000001.343397650.0000000000414000.00000040.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000001.343397650.0000000000414000.00000040.00020000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.360475057.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.360475057.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.563590904.00000000053D0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.330799074.00000000032C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.330799074.00000000032C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.563438389.00000000053B0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.345221899.000000000364A000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.561228467.00000000023F2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.561228467.00000000023F2000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000000.342661979.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000000.342661979.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.562570219.0000000003B61000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.345524498.00000000047C0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.345524498.00000000047C0000.00000004.00020000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000001.328667049.0000000000414000.00000040.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000001.328667049.0000000000414000.00000040.00020000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.556140287.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.556140287.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.564478287.0000000005480000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.345668628.0000000004812000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.345668628.0000000004812000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.300538390.00000000023A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.300538390.00000000023A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.345117243.0000000003611000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.345117243.0000000003611000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.564299116.0000000005450000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.563389843.0000000005390000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.344185437.0000000000627000.00000004.00000020.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.344185437.0000000000627000.00000004.00000020.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.345062402.000000000261E000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.562144773.00000000037D5000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.361051688.000000000381A000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.563083334.0000000004BC0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.343717430.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.343717430.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.563764546.00000000053F0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.563059058.0000000004BB0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000001.299308522.0000000000414000.00000040.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000001.299308522.0000000000414000.00000040.00020000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000000.341500174.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000000.341500174.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000000.325598662.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000000.325598662.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.345786625.0000000003180000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.345786625.0000000003180000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.559328771.0000000000614000.00000004.00000020.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.559328771.0000000000614000.00000004.00000020.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.563366604.0000000005370000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.360974701.00000000027EE000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.361014751.00000000037E1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.361014751.00000000037E1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.563890986.0000000005400000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.564263969.0000000005440000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: filedata.exe PID: 6760, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: filedata.exe PID: 6760, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: filedata.exe PID: 6220, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: filedata.exe PID: 6220, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: chmac.exe PID: 2812, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: chmac.exe PID: 2812, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: chmac.exe PID: 6352, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: chmac.exe PID: 6352, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: chmac.exe PID: 4476, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: chmac.exe PID: 4476, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: chmac.exe PID: 6968, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: chmac.exe PID: 6968, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Uses 32bit PE files
Source: filedata.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 5.2.filedata.exe.5370000.34.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.5370000.34.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.383df59.19.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.383df59.19.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.4bc0000.32.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.4bc0000.32.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.3b6aac9.26.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.3b6aac9.26.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.5450000.43.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.5450000.43.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.53f0000.39.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.53f0000.39.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.3613258.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.chmac.exe.3613258.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.3613258.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.chmac.exe.37e3258.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.chmac.exe.37e3258.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.chmac.exe.37e3258.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.chmac.exe.47c0000.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.chmac.exe.47c0000.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.47c0000.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.chmac.exe.3690e54.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.chmac.exe.3690e54.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.filedata.exe.23b1458.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.filedata.exe.23b1458.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.filedata.exe.23b1458.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.2970224.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.2970224.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.2970224.9.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.0.filedata.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.filedata.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.filedata.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.chmac.exe.2806888.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.chmac.exe.2806888.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.284528c.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.284528c.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.37a3248.13.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.37a3248.13.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.chmac.exe.3180000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.chmac.exe.3180000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.chmac.exe.3180000.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.chmac.exe.6d7f68.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.chmac.exe.6d7f68.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.chmac.exe.6d7f68.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.3a867ea.23.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.3a867ea.23.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.3a867ea.23.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.2830c24.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.2830c24.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.4810000.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.chmac.exe.4810000.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.4810000.9.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.chmac.exe.32d1458.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.chmac.exe.32d1458.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.chmac.exe.32d1458.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.3a721bd.24.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.3a721bd.24.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.chmac.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.chmac.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.chmac.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.545e8a4.44.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.545e8a4.44.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.29848a8.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.29848a8.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.29848a8.10.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.5400000.40.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.5400000.40.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.filedata.exe.23a0000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.filedata.exe.23a0000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.filedata.exe.23a0000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.chmac.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.chmac.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.chmac.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.5454c9f.45.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.5454c9f.45.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.4bc4629.31.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.4bc4629.31.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.28249b0.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.28249b0.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.3839930.18.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.3839930.18.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.chmac.exe.4920000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.chmac.exe.4920000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.chmac.exe.4920000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.0.filedata.exe.415058.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.filedata.exe.415058.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.filedata.exe.415058.9.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.chmac.exe.4920000.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.chmac.exe.4920000.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.chmac.exe.4920000.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.0.filedata.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.filedata.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.filedata.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.37da822.17.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.37da822.17.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.37da822.17.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.53e0000.38.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.53e0000.38.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.3839930.18.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.3839930.18.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.chmac.exe.3180000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.chmac.exe.3180000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.chmac.exe.3180000.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.23b0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.23b0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.23b0000.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.chmac.exe.3613258.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.chmac.exe.3613258.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.3613258.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.37df658.16.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.37df658.16.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.37df658.16.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.chmac.exe.3860e54.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.chmac.exe.3860e54.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.filedata.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.filedata.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.filedata.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.filedata.exe.23b1458.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.filedata.exe.23b1458.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.filedata.exe.23b1458.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.37b1aec.14.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.37b1aec.14.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.5480000.46.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.5480000.46.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.1.filedata.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.1.filedata.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.1.filedata.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.3b664a0.28.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.3b664a0.28.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.1.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.1.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.1.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.3943e92.20.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.3943e92.20.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.27b154c.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.27b154c.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.5420000.41.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.5420000.41.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.chmac.exe.369547d.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.chmac.exe.369547d.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.368c01e.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.chmac.exe.368c01e.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.368c01e.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.4bb0000.30.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.4bb0000.30.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.53f0000.39.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.53f0000.39.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.53b0000.36.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.53b0000.36.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.2963f94.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.2963f94.11.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.0.filedata.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.filedata.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.filedata.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.3948b31.21.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.3948b31.21.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.37e3c81.15.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.37e3c81.15.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.37e3c81.15.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.3a65f89.25.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.3a65f89.25.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.chmac.exe.3860e54.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.chmac.exe.3860e54.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.3690e54.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.chmac.exe.3690e54.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.37df658.16.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.37df658.16.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.393ac5e.22.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.393ac5e.22.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.0.filedata.exe.415058.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.filedata.exe.415058.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.filedata.exe.415058.7.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.chmac.exe.47c0000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.chmac.exe.47c0000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.47c0000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.37a3248.13.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.37a3248.13.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.6347a8.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.chmac.exe.6347a8.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.6347a8.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.4a30000.29.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.4a30000.29.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.chmac.exe.385c01e.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.chmac.exe.385c01e.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.chmac.exe.385c01e.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.53e0000.38.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.53e0000.38.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.chmac.exe.37e3258.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.chmac.exe.37e3258.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.chmac.exe.37e3258.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.chmac.exe.32c0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.chmac.exe.32c0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.chmac.exe.32c0000.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.0.filedata.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.filedata.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.filedata.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.chmac.exe.32c0000.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.chmac.exe.32c0000.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.chmac.exe.32c0000.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.chmac.exe.386547d.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.chmac.exe.386547d.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.filedata.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.filedata.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.filedata.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.53d0000.37.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.53d0000.37.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.5420000.41.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.5420000.41.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.5440000.42.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.5440000.42.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.53b0000.36.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.53b0000.36.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.chmac.exe.32d1458.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.chmac.exe.32d1458.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.chmac.exe.32d1458.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.5440000.42.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.5440000.42.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.filedata.exe.415058.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.filedata.exe.415058.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.filedata.exe.415058.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.5480000.46.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.5480000.46.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.2970224.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.2970224.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.23f0000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.23f0000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.23f0000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.3a721bd.24.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.3a721bd.24.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.0.filedata.exe.415058.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.filedata.exe.415058.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.filedata.exe.415058.9.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.2830c24.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.2830c24.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.2963f94.11.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.2963f94.11.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.chmac.exe.6d7f68.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.chmac.exe.6d7f68.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.chmac.exe.6d7f68.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.0.filedata.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.filedata.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.filedata.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.chmac.exe.4960000.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.chmac.exe.4960000.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.chmac.exe.4960000.9.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.4bc0000.32.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.4bc0000.32.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.filedata.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.filedata.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.filedata.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.5400000.40.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.5400000.40.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.28249b0.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.28249b0.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.5450000.43.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.5450000.43.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.2636888.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.chmac.exe.2636888.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.chmac.exe.3191458.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.chmac.exe.3191458.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.chmac.exe.3191458.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.393ac5e.22.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.393ac5e.22.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.chmac.exe.3191458.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.chmac.exe.3191458.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.chmac.exe.3191458.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.3b664a0.28.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.3b664a0.28.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.3a65f89.25.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.3a65f89.25.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.23b0000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.23b0000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.23b0000.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.4a30000.29.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.4a30000.29.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.624448.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.624448.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.624448.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.37a7ee7.12.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.37a7ee7.12.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.5370000.34.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.5370000.34.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.3943e92.20.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.3943e92.20.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.5390000.35.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.5390000.35.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.1.filedata.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.1.filedata.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.1.filedata.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.filedata.exe.23a0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.filedata.exe.23a0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.filedata.exe.23a0000.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.3b6166a.27.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.3b6166a.27.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.3b6166a.27.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.chmac.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.chmac.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.chmac.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.624448.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.624448.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.624448.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.chmac.exe.6347a8.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.chmac.exe.6347a8.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.6347a8.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.361160585.0000000004920000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.361160585.0000000004920000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000B.00000002.361160585.0000000004920000.00000004.00020000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000000.298557071.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000000.298557071.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.561118810.00000000023B0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.561118810.00000000023B0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000002.561118810.00000000023B0000.00000004.00020000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.563662225.00000000053E0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.563662225.00000000053E0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000B.00000002.361229829.0000000004962000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.361229829.0000000004962000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000000.327164969.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000000.327164969.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.360739917.00000000006C4000.00000004.00000020.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.360739917.00000000006C4000.00000004.00000020.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.564073879.0000000005420000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.564073879.0000000005420000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000000.297190479.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000000.297190479.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.562912360.0000000004A30000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.562912360.0000000004A30000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000B.00000001.343397650.0000000000414000.00000040.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000001.343397650.0000000000414000.00000040.00020000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.360475057.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.360475057.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000B.00000002.360475057.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.563590904.00000000053D0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.563590904.00000000053D0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.330799074.00000000032C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.330799074.00000000032C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.330799074.00000000032C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.563438389.00000000053B0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.563438389.00000000053B0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000002.345221899.000000000364A000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.561228467.00000000023F2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.561228467.00000000023F2000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000000.342661979.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000000.342661979.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.562570219.0000000003B61000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.345524498.00000000047C0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.345524498.00000000047C0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000002.345524498.00000000047C0000.00000004.00020000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000001.328667049.0000000000414000.00000040.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000001.328667049.0000000000414000.00000040.00020000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.556140287.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.556140287.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000002.556140287.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.564478287.0000000005480000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.564478287.0000000005480000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000002.345668628.0000000004812000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.345668628.0000000004812000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.300538390.00000000023A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.300538390.00000000023A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.300538390.00000000023A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.345117243.0000000003611000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.345117243.0000000003611000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.564299116.0000000005450000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.564299116.0000000005450000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.563389843.0000000005390000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.563389843.0000000005390000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000002.344185437.0000000000627000.00000004.00000020.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.344185437.0000000000627000.00000004.00000020.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.345062402.000000000261E000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.562144773.00000000037D5000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.361051688.000000000381A000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.563083334.0000000004BC0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.563083334.0000000004BC0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000002.343717430.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.343717430.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000002.343717430.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.563764546.00000000053F0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.563764546.00000000053F0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000002.563059058.0000000004BB0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.563059058.0000000004BB0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000001.299308522.0000000000414000.00000040.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000001.299308522.0000000000414000.00000040.00020000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000000.341500174.0000000000414000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 1_2_00403225
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 9_2_00403225
Detected potential crypto function
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_0040604C 1_2_0040604C
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_00404772 1_2_00404772
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDB8ED6 1_2_6EDB8ED6
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDBBACD 1_2_6EDBBACD
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDBB0C1 1_2_6EDBB0C1
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDB92C7 1_2_6EDB92C7
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDBAEFE 1_2_6EDBAEFE
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDBB6F0 1_2_6EDBB6F0
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDB76F5 1_2_6EDB76F5
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDBBA9D 1_2_6EDBBA9D
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDB948D 1_2_6EDB948D
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDBBC81 1_2_6EDBBC81
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDB9086 1_2_6EDB9086
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDB7EBD 1_2_6EDB7EBD
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDC8CB7 1_2_6EDC8CB7
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDBB6B7 1_2_6EDBB6B7
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDBAEB4 1_2_6EDBAEB4
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDB68A9 1_2_6EDB68A9
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDB7AA5 1_2_6EDB7AA5
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDB8A52 1_2_6EDB8A52
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDBAE57 1_2_6EDBAE57
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDB9068 1_2_6EDB9068
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDB4E62 1_2_6EDB4E62
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDBAE10 1_2_6EDBAE10
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDB8E17 1_2_6EDB8E17
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDB9215 1_2_6EDB9215
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDBB80F 1_2_6EDBB80F
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDBBC3D 1_2_6EDBBC3D
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDB7A26 1_2_6EDB7A26
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDBB5DE 1_2_6EDBB5DE
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDBB9D3 1_2_6EDBB9D3
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDB87CB 1_2_6EDB87CB
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDBABCB 1_2_6EDBABCB
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDBC3CB 1_2_6EDBC3CB
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDB61C1 1_2_6EDB61C1
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDB51C5 1_2_6EDB51C5
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDB1FE9 1_2_6EDB1FE9
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDB93E2 1_2_6EDB93E2
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDBAFE5 1_2_6EDBAFE5
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDBB59C 1_2_6EDBB59C
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDB9397 1_2_6EDB9397
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDB75B9 1_2_6EDB75B9
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDB75B2 1_2_6EDB75B2
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDB8FB1 1_2_6EDB8FB1
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDBADB5 1_2_6EDBADB5
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDB8D5D 1_2_6EDB8D5D
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDB915C 1_2_6EDB915C
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDB6770 1_2_6EDB6770
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDB6576 1_2_6EDB6576
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDB8774 1_2_6EDB8774
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDBB966 1_2_6EDBB966
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDBBB1B 1_2_6EDBBB1B
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDB931C 1_2_6EDB931C
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDBB10F 1_2_6EDBB10F
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDB1B00 1_2_6EDB1B00
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDB613A 1_2_6EDB613A
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDBCD3F 1_2_6EDBCD3F
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDBB13D 1_2_6EDBB13D
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDBBB3C 1_2_6EDBBB3C
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDBB328 1_2_6EDBB328
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDB8F22 1_2_6EDB8F22
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_0040A2A5 5_2_0040A2A5
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_02107ABF 5_2_02107ABF
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_048A3850 5_2_048A3850
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_048A8468 5_2_048A8468
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_048A9068 5_2_048A9068
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_048AAD38 5_2_048AAD38
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_048A2FA8 5_2_048A2FA8
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_048A23A0 5_2_048A23A0
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_048A306F 5_2_048A306F
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_048A912F 5_2_048A912F
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB8ED6 7_2_6EDB8ED6
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDBBACD 7_2_6EDBBACD
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDBB0C1 7_2_6EDBB0C1
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB92C7 7_2_6EDB92C7
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDBAEFE 7_2_6EDBAEFE
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDBB6F0 7_2_6EDBB6F0
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDBBA9D 7_2_6EDBBA9D
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB8A8A 7_2_6EDB8A8A
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB948D 7_2_6EDB948D
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDBBC81 7_2_6EDBBC81
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB9086 7_2_6EDB9086
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB86BA 7_2_6EDB86BA
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDC8CB7 7_2_6EDC8CB7
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDBB6B7 7_2_6EDBB6B7
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDBAEB4 7_2_6EDBAEB4
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB68A9 7_2_6EDB68A9
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDBAE57 7_2_6EDBAE57
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB9068 7_2_6EDB9068
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB4E62 7_2_6EDB4E62
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDBAE10 7_2_6EDBAE10
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB8E17 7_2_6EDB8E17
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB9215 7_2_6EDB9215
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDBB80F 7_2_6EDBB80F
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB8A3A 7_2_6EDB8A3A
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDBBC3D 7_2_6EDBBC3D
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB8629 7_2_6EDB8629
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDBB5DE 7_2_6EDBB5DE
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDBB9D3 7_2_6EDBB9D3
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB8BD2 7_2_6EDB8BD2
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDBABCB 7_2_6EDBABCB
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDBC3CB 7_2_6EDBC3CB
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB61C1 7_2_6EDB61C1
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB51C5 7_2_6EDB51C5
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB87FC 7_2_6EDB87FC
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB1FE9 7_2_6EDB1FE9
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB93E2 7_2_6EDB93E2
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDBAFE5 7_2_6EDBAFE5
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB879F 7_2_6EDB879F
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDBB59C 7_2_6EDBB59C
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB9397 7_2_6EDB9397
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB8FB1 7_2_6EDB8FB1
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDBADB5 7_2_6EDBADB5
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB895F 7_2_6EDB895F
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB915C 7_2_6EDB915C
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB6770 7_2_6EDB6770
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB6576 7_2_6EDB6576
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB876A 7_2_6EDB876A
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB8D60 7_2_6EDB8D60
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB5F66 7_2_6EDB5F66
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDBB966 7_2_6EDBB966
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDBBB1B 7_2_6EDBBB1B
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB931C 7_2_6EDB931C
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDBB10F 7_2_6EDBB10F
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB1B00 7_2_6EDB1B00
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB613A 7_2_6EDB613A
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB873A 7_2_6EDB873A
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDBCD3F 7_2_6EDBCD3F
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDBB13D 7_2_6EDBB13D
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDBBB3C 7_2_6EDBBB3C
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDBB328 7_2_6EDBB328
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB8F22 7_2_6EDB8F22
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB8B27 7_2_6EDB8B27
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 8_2_0040A2A5 8_2_0040A2A5
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 8_2_04882FA8 8_2_04882FA8
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 8_2_048823A0 8_2_048823A0
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 8_2_04883850 8_2_04883850
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 8_2_0488306F 8_2_0488306F
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 8_1_0040A2A5 8_1_0040A2A5
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_0040604C 9_2_0040604C
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_00404772 9_2_00404772
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAB68A9 9_2_6EAB68A9
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAB7AA5 9_2_6EAB7AA5
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAB7EBD 9_2_6EAB7EBD
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAC8CB7 9_2_6EAC8CB7
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EABB6B7 9_2_6EABB6B7
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EABAEB4 9_2_6EABAEB4
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAB948D 9_2_6EAB948D
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EABBC81 9_2_6EABBC81
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAB9086 9_2_6EAB9086
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EABBA9D 9_2_6EABBA9D
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EABAEFE 9_2_6EABAEFE
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EABB6F0 9_2_6EABB6F0
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAB76F5 9_2_6EAB76F5
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EABBACD 9_2_6EABBACD
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EABB0C1 9_2_6EABB0C1
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAB92C7 9_2_6EAB92C7
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAB8ED6 9_2_6EAB8ED6
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAB7A26 9_2_6EAB7A26
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EABBC3D 9_2_6EABBC3D
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EABB80F 9_2_6EABB80F
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EABAE10 9_2_6EABAE10
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAB8E17 9_2_6EAB8E17
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAB9215 9_2_6EAB9215
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAB9068 9_2_6EAB9068
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAB4E62 9_2_6EAB4E62
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAB8A52 9_2_6EAB8A52
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EABAE57 9_2_6EABAE57
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAB75B9 9_2_6EAB75B9
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAB75B2 9_2_6EAB75B2
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAB8FB1 9_2_6EAB8FB1
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EABADB5 9_2_6EABADB5
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EABB59C 9_2_6EABB59C
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAB9397 9_2_6EAB9397
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAB1FE9 9_2_6EAB1FE9
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAB93E2 9_2_6EAB93E2
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EABAFE5 9_2_6EABAFE5
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAB87CB 9_2_6EAB87CB
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EABABCB 9_2_6EABABCB
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EABC3CB 9_2_6EABC3CB
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAB61C1 9_2_6EAB61C1
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAB51C5 9_2_6EAB51C5
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EABB5DE 9_2_6EABB5DE
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EABB9D3 9_2_6EABB9D3
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EABB328 9_2_6EABB328
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAB8F22 9_2_6EAB8F22
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAB613A 9_2_6EAB613A
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EABB13D 9_2_6EABB13D
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EABBB3C 9_2_6EABBB3C
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EABB10F 9_2_6EABB10F
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAB1B00 9_2_6EAB1B00
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EABBB1B 9_2_6EABBB1B
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAB931C 9_2_6EAB931C
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EABB966 9_2_6EABB966
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAB6770 9_2_6EAB6770
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAB6576 9_2_6EAB6576
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAB8774 9_2_6EAB8774
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAB8D5D 9_2_6EAB8D5D
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAB915C 9_2_6EAB915C
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: String function: 00401ED0 appears 46 times
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: String function: 0040569E appears 36 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_04A218AA NtQuerySystemInformation, 5_2_04A218AA
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_04A2186F NtQuerySystemInformation, 5_2_04A2186F
Sample file is different than original file name gathered from version info
Source: filedata.exe, 00000001.00000003.291042942.0000000003636000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs filedata.exe
Source: filedata.exe, 00000001.00000003.293853805.00000000037CF000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs filedata.exe
Source: filedata.exe, 00000005.00000002.563662225.00000000053E0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs filedata.exe
Source: filedata.exe, 00000005.00000002.561439821.00000000027A1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.564073879.0000000005420000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562912360.0000000004A30000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs filedata.exe
Source: filedata.exe, 00000005.00000002.563438389.00000000053B0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.563590904.00000000053D0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.563110382.0000000004BE0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562570219.0000000003B61000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562570219.0000000003B61000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562570219.0000000003B61000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562269551.00000000038C7000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562269551.00000000038C7000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562269551.00000000038C7000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562269551.00000000038C7000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNAudio.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562269551.00000000038C7000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562269551.00000000038C7000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs filedata.exe
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs filedata.exe
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs filedata.exe
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs filedata.exe
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs filedata.exe
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.564478287.0000000005480000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562100157.00000000037A1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562100157.00000000037A1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNAudio.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562100157.00000000037A1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.564299116.0000000005450000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.564299116.0000000005450000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameNAudio.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.564299116.0000000005450000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.563389843.0000000005390000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs filedata.exe
Source: filedata.exe, 00000005.00000002.562144773.00000000037D5000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562144773.00000000037D5000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562144773.00000000037D5000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562144773.00000000037D5000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs filedata.exe
Source: filedata.exe, 00000005.00000002.563083334.0000000004BC0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.563083334.0000000004BC0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.563764546.00000000053F0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs filedata.exe
Source: filedata.exe, 00000005.00000002.563059058.0000000004BB0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562195683.0000000003832000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562195683.0000000003832000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562195683.0000000003832000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs filedata.exe
Source: filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs filedata.exe
Source: filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs filedata.exe
Source: filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs filedata.exe
Source: filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs filedata.exe
Source: filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs filedata.exe
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs filedata.exe
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs filedata.exe
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs filedata.exe
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNAudio.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.563366604.0000000005370000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.563890986.0000000005400000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs filedata.exe
Source: filedata.exe, 00000005.00000002.564263969.0000000005440000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs filedata.exe
PE file contains strange resources
Source: filedata.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: chmac.exe.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Users\user\Desktop\filedata.exe File read: C:\Users\user\Desktop\filedata.exe Jump to behavior
Source: filedata.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\filedata.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\filedata.exe "C:\Users\user\Desktop\filedata.exe"
Source: C:\Users\user\Desktop\filedata.exe Process created: C:\Users\user\Desktop\filedata.exe "C:\Users\user\Desktop\filedata.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe "C:\Users\user\AppData\Roaming\dihsw\chmac.exe"
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe "C:\Users\user\AppData\Roaming\dihsw\chmac.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe "C:\Users\user\AppData\Roaming\dihsw\chmac.exe"
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe "C:\Users\user\AppData\Roaming\dihsw\chmac.exe"
Source: C:\Users\user\Desktop\filedata.exe Process created: C:\Users\user\Desktop\filedata.exe "C:\Users\user\Desktop\filedata.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe "C:\Users\user\AppData\Roaming\dihsw\chmac.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe "C:\Users\user\AppData\Roaming\dihsw\chmac.exe" Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_04A2166A AdjustTokenPrivileges, 5_2_04A2166A
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_04A21633 AdjustTokenPrivileges, 5_2_04A21633
Source: C:\Users\user\Desktop\filedata.exe File created: C:\Users\user\AppData\Roaming\dihsw Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe File created: C:\Users\user\AppData\Local\Temp\nsk5586.tmp Jump to behavior
Source: classification engine Classification label: mal96.troj.evad.winEXE@9/13@19/2
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_00402012 CoCreateInstance,MultiByteToWideChar, 1_2_00402012
Source: C:\Users\user\Desktop\filedata.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 1_2_00404275
Source: 11.2.chmac.exe.4960000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 11.2.chmac.exe.4960000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 8.2.chmac.exe.4810000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 8.2.chmac.exe.4810000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.2.filedata.exe.23f0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.2.filedata.exe.23f0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: C:\Users\user\Desktop\filedata.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\filedata.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{1f8684ca-0835-4252-89d1-4a2b1be1a69a}
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess, 5_2_00401489
Source: 5.2.filedata.exe.23f0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.filedata.exe.23f0000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.filedata.exe.23f0000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.chmac.exe.4810000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 8.2.chmac.exe.4810000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.chmac.exe.4810000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.chmac.exe.4960000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 11.2.chmac.exe.4960000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 11.2.chmac.exe.4960000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: C:\Users\user\Desktop\filedata.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: filedata.exe, 00000005.00000002.561407999.0000000002457000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdb source: filedata.exe, 00000005.00000002.561407999.0000000002457000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: filedata.exe, 00000005.00000002.561407999.0000000002457000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdbUGP source: filedata.exe, 00000001.00000003.295655052.00000000036B0000.00000004.00000001.sdmp, filedata.exe, 00000001.00000003.295324951.0000000003520000.00000004.00000001.sdmp, chmac.exe, 00000007.00000003.324632058.00000000034A0000.00000004.00000001.sdmp, chmac.exe, 00000007.00000003.323875140.0000000003310000.00000004.00000001.sdmp, chmac.exe, 00000009.00000003.339932076.00000000031E0000.00000004.00000001.sdmp, chmac.exe, 00000009.00000003.343022774.0000000003370000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: filedata.exe, 00000005.00000002.563438389.00000000053B0000.00000004.00020000.sdmp, filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: filedata.exe, 00000001.00000003.295655052.00000000036B0000.00000004.00000001.sdmp, filedata.exe, 00000001.00000003.295324951.0000000003520000.00000004.00000001.sdmp, chmac.exe, 00000007.00000003.324632058.00000000034A0000.00000004.00000001.sdmp, chmac.exe, 00000007.00000003.323875140.0000000003310000.00000004.00000001.sdmp, chmac.exe, 00000009.00000003.339932076.00000000031E0000.00000004.00000001.sdmp, chmac.exe, 00000009.00000003.343022774.0000000003370000.00000004.00000001.sdmp
Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: filedata.exe, 00000005.00000002.561407999.0000000002457000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: filedata.exe, 00000005.00000002.561407999.0000000002457000.00000004.00000040.sdmp
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: filedata.exe, 00000005.00000002.563590904.00000000053D0000.00000004.00020000.sdmp, filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.563890986.0000000005400000.00000004.00020000.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.563389843.0000000005390000.00000004.00020000.sdmp, filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.563764546.00000000053F0000.00000004.00020000.sdmp, filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: filedata.exe, 00000005.00000002.561407999.0000000002457000.00000004.00000040.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: filedata.exe, 00000005.00000002.563662225.00000000053E0000.00000004.00020000.sdmp, filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Unpacked PE file: 8.2.chmac.exe.4810000.9.unpack
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Unpacked PE file: 11.2.chmac.exe.4960000.9.unpack
.NET source code contains potential unpacker
Source: 5.2.filedata.exe.23f0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.filedata.exe.23f0000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.chmac.exe.4810000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.chmac.exe.4810000.9.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.chmac.exe.4960000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.chmac.exe.4960000.9.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDB4EB2 pushad ; retf 0000h 1_2_6EDB4EB3
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDBC254 pushfd ; retf 1_2_6EDBC255
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_6EDB6FF5 pushfd ; iretd 1_2_6EDB6FF6
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_00401F16 push ecx; ret 5_2_00401F29
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_020E2E75 push edi; ret 5_2_020E2E76
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_020E2685 push edi; ret 5_2_020E2686
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_020E2E81 push edi; ret 5_2_020E2E82
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_020E26A8 push edi; ret 5_2_020E26B6
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_020E30E4 push eax; ret 5_2_020E30EA
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_020E30F9 push eax; ret 5_2_020E317A
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_020E316C push eax; ret 5_2_020E317A
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_020E2570 push ecx; ret 5_2_020E2572
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_020E25DD push eax; ret 5_2_020E25DE
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_020E25D0 push ecx; ret 5_2_020E25D2
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_020E2DFD push ecx; ret 5_2_020E2DFE
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_02109D2B pushad ; retf 5_2_02109D31
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDB4EB2 pushad ; retf 0000h 7_2_6EDB4EB3
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_6EDBC254 pushfd ; retf 7_2_6EDBC255
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 8_2_00401F16 push ecx; ret 8_2_00401F29
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 8_2_00912881 push edi; ret 8_2_00912882
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 8_2_009125D0 push ecx; ret 8_2_009125D2
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 8_2_009125DD push eax; ret 8_2_009125DE
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 8_2_00912DFD push ecx; ret 8_2_00912DFE
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 8_2_00912570 push ecx; ret 8_2_00912572
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 8_2_00912E81 push edi; ret 8_2_00912E82
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 8_2_009126A8 push edi; ret 8_2_009126B6
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 8_2_00912E75 push edi; ret 8_2_00912E76
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 8_1_00401F16 push ecx; ret 8_1_00401F29
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAB4EB2 pushad ; retf 0000h 9_2_6EAB4EB3
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EABC254 pushfd ; retf 9_2_6EABC255
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_6EAB6FF5 pushfd ; iretd 9_2_6EAB6FF6
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress, 1_2_00405DA3
Source: 5.2.filedata.exe.23f0000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 5.2.filedata.exe.23f0000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 8.2.chmac.exe.4810000.9.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 8.2.chmac.exe.4810000.9.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 11.2.chmac.exe.4960000.9.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 11.2.chmac.exe.4960000.9.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe File created: C:\Users\user\AppData\Local\Temp\nsqA3A8.tmp\zihgjt.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe File created: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\zihgjt.dll Jump to dropped file
Source: C:\Users\user\Desktop\filedata.exe File created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Jump to dropped file
Source: C:\Users\user\Desktop\filedata.exe File created: C:\Users\user\AppData\Local\Temp\nsf55B7.tmp\zihgjt.dll Jump to dropped file
Source: C:\Users\user\Desktop\filedata.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kyvrnrwl Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kyvrnrwl Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\filedata.exe File opened: C:\Users\user\Desktop\filedata.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\filedata.exe TID: 3560 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe TID: 5668 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe TID: 3176 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe TID: 3952 Thread sleep count: 42 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe TID: 5676 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe TID: 5608 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe TID: 5672 Thread sleep count: 36 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe TID: 4404 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\filedata.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\filedata.exe Window / User API: threadDelayed 354 Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Window / User API: foregroundWindowGot 955 Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_04A21392 GetSystemInfo, 5_2_04A21392
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_00405D7C FindFirstFileA,FindClose, 1_2_00405D7C
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 1_2_004053AA
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_00402630 FindFirstFileA, 1_2_00402630
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_00404A29 FindFirstFileExW, 5_2_00404A29
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 8_2_00404A29 FindFirstFileExW, 8_2_00404A29
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 8_1_00404A29 FindFirstFileExW, 8_1_00404A29
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_00405D7C FindFirstFileA,FindClose, 9_2_00405D7C
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 9_2_004053AA
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_00402630 FindFirstFileA, 9_2_00402630
Source: C:\Users\user\Desktop\filedata.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\filedata.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\filedata.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe API call chain: ExitProcess graph end node

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_0040446F
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress, 1_2_00405DA3
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_004067FE GetProcessHeap, 5_2_004067FE
Enables debug privileges
Source: C:\Users\user\Desktop\filedata.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_0019E23A mov eax, dword ptr fs:[00000030h] 1_2_0019E23A
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_0019E026 mov eax, dword ptr fs:[00000030h] 1_2_0019E026
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_0019E2EB mov eax, dword ptr fs:[00000030h] 1_2_0019E2EB
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_0019E32A mov eax, dword ptr fs:[00000030h] 1_2_0019E32A
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_0019E368 mov eax, dword ptr fs:[00000030h] 1_2_0019E368
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_004035F1 mov eax, dword ptr fs:[00000030h] 5_2_004035F1
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_0019E23A mov eax, dword ptr fs:[00000030h] 7_2_0019E23A
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_0019E026 mov eax, dword ptr fs:[00000030h] 7_2_0019E026
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_0019E2EB mov eax, dword ptr fs:[00000030h] 7_2_0019E2EB
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_0019E32A mov eax, dword ptr fs:[00000030h] 7_2_0019E32A
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 7_2_0019E368 mov eax, dword ptr fs:[00000030h] 7_2_0019E368
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 8_2_004035F1 mov eax, dword ptr fs:[00000030h] 8_2_004035F1
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 8_1_004035F1 mov eax, dword ptr fs:[00000030h] 8_1_004035F1
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_0019E23A mov eax, dword ptr fs:[00000030h] 9_2_0019E23A
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_0019E026 mov eax, dword ptr fs:[00000030h] 9_2_0019E026
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_0019E2EB mov eax, dword ptr fs:[00000030h] 9_2_0019E2EB
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_0019E32A mov eax, dword ptr fs:[00000030h] 9_2_0019E32A
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 9_2_0019E368 mov eax, dword ptr fs:[00000030h] 9_2_0019E368
Source: C:\Users\user\Desktop\filedata.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_00401E1D SetUnhandledExceptionFilter, 5_2_00401E1D
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_0040446F
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00401C88
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_00401F30
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 8_2_00401E1D SetUnhandledExceptionFilter, 8_2_00401E1D
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 8_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_0040446F
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 8_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00401C88
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 8_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_00401F30
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 8_1_00401E1D SetUnhandledExceptionFilter, 8_1_00401E1D
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 8_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_1_0040446F
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 8_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_1_00401C88
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Code function: 8_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_1_00401F30

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\filedata.exe Memory written: C:\Users\user\Desktop\filedata.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Memory written: C:\Users\user\AppData\Roaming\dihsw\chmac.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Memory written: C:\Users\user\AppData\Roaming\dihsw\chmac.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\filedata.exe Process created: C:\Users\user\Desktop\filedata.exe "C:\Users\user\Desktop\filedata.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe "C:\Users\user\AppData\Roaming\dihsw\chmac.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe Process created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe "C:\Users\user\AppData\Roaming\dihsw\chmac.exe" Jump to behavior
Source: filedata.exe, 00000005.00000002.561811283.0000000002932000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.561781358.000000000292A000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.562041659.0000000002A2E000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.560079389.0000000000C70000.00000002.00020000.sdmp, filedata.exe, 00000005.00000002.562001826.0000000002A0E000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.562073524.0000000002A54000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.561991224.0000000002A07000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.561741862.0000000002910000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.561794584.000000000292D000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.561757899.000000000291A000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: filedata.exe, 00000005.00000002.560079389.0000000000C70000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: filedata.exe, 00000005.00000002.560079389.0000000000C70000.00000002.00020000.sdmp Binary or memory string: Progman
Source: filedata.exe, 00000005.00000002.561811283.0000000002932000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.562073524.0000000002A54000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.561757899.000000000291A000.00000004.00000001.sdmp Binary or memory string: Program ManagerP
Source: filedata.exe, 00000005.00000002.561991224.0000000002A07000.00000004.00000001.sdmp Binary or memory string: Program Managerp
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp Binary or memory string: Program ManagerX
Source: filedata.exe, 00000005.00000002.560079389.0000000000C70000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_0040208D cpuid 5_2_0040208D
Source: C:\Users\user\Desktop\filedata.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 5_2_00401B74
Source: C:\Users\user\Desktop\filedata.exe Code function: 1_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA, 1_2_00405AA7
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_020EB0CA GetUserNameW, 5_2_020EB0CA

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 5.2.filedata.exe.383df59.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.4bc0000.32.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.3b6aac9.26.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.3613258.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.37e3258.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.47c0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.3690e54.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.filedata.exe.23b1458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.chmac.exe.3180000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.6d7f68.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.4810000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.chmac.exe.32d1458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.filedata.exe.23a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.4bc4629.31.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.3839930.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.4920000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.4920000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.37da822.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.3839930.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.chmac.exe.3180000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.23b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.3613258.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.37df658.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.3860e54.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.filedata.exe.23b1458.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.1.filedata.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.3b664a0.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.1.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.369547d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.368c01e.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.37e3c81.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.3860e54.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.3690e54.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.37df658.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.47c0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.6347a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.385c01e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.37e3258.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.chmac.exe.32c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.chmac.exe.32c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.386547d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.chmac.exe.32d1458.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.23f0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.6d7f68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.4960000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.4bc0000.32.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.chmac.exe.3191458.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.chmac.exe.3191458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.3b664a0.28.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.23b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.624448.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.1.filedata.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.filedata.exe.23a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.3b6166a.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.624448.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.6347a8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.361160585.0000000004920000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.298557071.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.561118810.00000000023B0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.361229829.0000000004962000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.327164969.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.360739917.00000000006C4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.561439821.00000000027A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.297190479.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000001.343397650.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.360475057.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.330799074.00000000032C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.345221899.000000000364A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.561228467.00000000023F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.342661979.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.562570219.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.345524498.00000000047C0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000001.328667049.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.556140287.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.345668628.0000000004812000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.300538390.00000000023A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.345117243.0000000003611000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.344185437.0000000000627000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.562144773.00000000037D5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.361051688.000000000381A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.563083334.0000000004BC0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.343717430.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000001.299308522.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.341500174.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.562195683.0000000003832000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.325598662.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.345786625.0000000003180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.559328771.0000000000614000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.361014751.00000000037E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: filedata.exe PID: 6760, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: filedata.exe PID: 6220, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: chmac.exe PID: 2812, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: chmac.exe PID: 6352, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: chmac.exe PID: 4476, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: chmac.exe PID: 6968, type: MEMORYSTR

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: filedata.exe, 00000001.00000002.300538390.00000000023A0000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000000.298557071.0000000000414000.00000040.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.561118810.00000000023B0000.00000004.00020000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.563662225.00000000053E0000.00000004.00020000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.563662225.00000000053E0000.00000004.00020000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: filedata.exe, 00000005.00000002.561439821.00000000027A1000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.561439821.00000000027A1000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: filedata.exe, 00000005.00000002.564073879.0000000005420000.00000004.00020000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.562912360.0000000004A30000.00000004.00020000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.563438389.00000000053B0000.00000004.00020000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.563590904.00000000053D0000.00000004.00020000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.563590904.00000000053D0000.00000004.00020000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: filedata.exe, 00000005.00000002.561228467.00000000023F2000.00000040.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.562570219.0000000003B61000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.562570219.0000000003B61000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: filedata.exe, 00000005.00000002.556140287.0000000000400000.00000040.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.562269551.00000000038C7000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: filedata.exe, 00000005.00000002.564478287.0000000005480000.00000004.00020000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.562100157.00000000037A1000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.564299116.0000000005450000.00000004.00020000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.563389843.0000000005390000.00000004.00020000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.563389843.0000000005390000.00000004.00020000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: filedata.exe, 00000005.00000002.562144773.00000000037D5000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.562144773.00000000037D5000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: filedata.exe, 00000005.00000002.563083334.0000000004BC0000.00000004.00020000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.563764546.00000000053F0000.00000004.00020000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.563059058.0000000004BB0000.00000004.00020000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.563059058.0000000004BB0000.00000004.00020000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: filedata.exe, 00000005.00000002.562195683.0000000003832000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: filedata.exe, 00000005.00000002.563366604.0000000005370000.00000004.00020000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.563890986.0000000005400000.00000004.00020000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.563890986.0000000005400000.00000004.00020000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: filedata.exe, 00000005.00000002.564263969.0000000005440000.00000004.00020000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 00000007.00000002.330799074.00000000032C0000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 00000008.00000000.327164969.0000000000414000.00000040.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 00000008.00000002.345221899.000000000364A000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 00000008.00000002.345221899.000000000364A000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: chmac.exe, 00000008.00000002.345524498.00000000047C0000.00000004.00020000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 00000008.00000002.345668628.0000000004812000.00000040.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 00000008.00000002.345117243.0000000003611000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 00000008.00000002.344185437.0000000000627000.00000004.00000020.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 00000008.00000002.345062402.000000000261E000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 00000008.00000002.345062402.000000000261E000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: chmac.exe, 00000008.00000002.343717430.0000000000400000.00000040.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 00000009.00000002.345786625.0000000003180000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 0000000B.00000002.361160585.0000000004920000.00000004.00020000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 0000000B.00000002.361229829.0000000004962000.00000040.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 0000000B.00000002.360739917.00000000006C4000.00000004.00000020.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 0000000B.00000002.360475057.0000000000400000.00000040.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 0000000B.00000001.343397650.0000000000414000.00000040.00020000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 0000000B.00000002.361051688.000000000381A000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 0000000B.00000002.361051688.000000000381A000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: chmac.exe, 0000000B.00000002.360974701.00000000027EE000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 0000000B.00000002.360974701.00000000027EE000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: chmac.exe, 0000000B.00000002.361014751.00000000037E1000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Yara detected Nanocore RAT
Source: Yara match File source: 5.2.filedata.exe.383df59.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.4bc0000.32.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.3b6aac9.26.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.3613258.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.37e3258.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.47c0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.3690e54.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.filedata.exe.23b1458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.chmac.exe.3180000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.6d7f68.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.4810000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.chmac.exe.32d1458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.filedata.exe.23a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.4bc4629.31.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.3839930.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.4920000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.4920000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.37da822.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.3839930.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.chmac.exe.3180000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.23b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.3613258.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.37df658.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.3860e54.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.filedata.exe.23b1458.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.1.filedata.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.3b664a0.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.1.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.369547d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.368c01e.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.37e3c81.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.3860e54.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.3690e54.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.37df658.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.47c0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.6347a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.385c01e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.37e3258.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.chmac.exe.32c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.chmac.exe.32c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.386547d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.chmac.exe.32d1458.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.23f0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.6d7f68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.4960000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.4bc0000.32.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.filedata.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.chmac.exe.3191458.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.chmac.exe.3191458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.3b664a0.28.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.23b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.624448.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.1.filedata.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.filedata.exe.23a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.3b6166a.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.filedata.exe.624448.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.chmac.exe.6347a8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.361160585.0000000004920000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.298557071.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.561118810.00000000023B0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.361229829.0000000004962000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.327164969.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.360739917.00000000006C4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.561439821.00000000027A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.297190479.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000001.343397650.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.360475057.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.330799074.00000000032C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.345221899.000000000364A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.561228467.00000000023F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.342661979.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.562570219.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.345524498.00000000047C0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000001.328667049.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.556140287.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.345668628.0000000004812000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.300538390.00000000023A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.345117243.0000000003611000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.344185437.0000000000627000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.562144773.00000000037D5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.361051688.000000000381A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.563083334.0000000004BC0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.343717430.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000001.299308522.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.341500174.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.562195683.0000000003832000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.325598662.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.345786625.0000000003180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.559328771.0000000000614000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.361014751.00000000037E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: filedata.exe PID: 6760, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: filedata.exe PID: 6220, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: chmac.exe PID: 2812, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: chmac.exe PID: 6352, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: chmac.exe PID: 4476, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: chmac.exe PID: 6968, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_04A22986 bind, 5_2_04A22986
Source: C:\Users\user\Desktop\filedata.exe Code function: 5_2_04A22934 bind, 5_2_04A22934
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 552947 Sample: filedata Startdate: 13/01/2022 Architecture: WINDOWS Score: 96 41 Malicious sample detected (through community Yara rule) 2->41 43 Sigma detected: NanoCore 2->43 45 Detected Nanocore Rat 2->45 47 3 other signatures 2->47 6 filedata.exe 1 21 2->6         started        10 chmac.exe 17 2->10         started        12 chmac.exe 17 2->12         started        process3 file4 23 C:\Users\user\AppData\Roaming\...\chmac.exe, PE32 6->23 dropped 25 C:\Users\user\AppData\Local\...\zihgjt.dll, PE32 6->25 dropped 49 Injects a PE file into a foreign processes 6->49 14 filedata.exe 9 6->14         started        27 C:\Users\user\AppData\Local\...\zihgjt.dll, PE32 10->27 dropped 51 Detected unpacking (creates a PE file in dynamic memory) 10->51 19 chmac.exe 3 10->19         started        29 C:\Users\user\AppData\Local\...\zihgjt.dll, PE32 12->29 dropped 21 chmac.exe 2 12->21         started        signatures5 process6 dnsIp7 35 boyhome5100.duckdns.org 194.5.98.28, 49745, 49746, 49747 DANILENKODE Netherlands 14->35 37 192.168.2.1 unknown unknown 14->37 31 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 14->31 dropped 39 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->39 33 C:\Users\user\AppData\Local\...\chmac.exe.log, ASCII 19->33 dropped file8 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
194.5.98.28
 boyhome5100.duckdns.org Netherlands
208476 DANILENKODE false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
boyhome5100.duckdns.org 194.5.98.28 true