Play interactive tour

Edit tour

Windows Analysis Report filedata

Overview

General Information

Sample Name:	filedata (renamed file extension from none to exe)
Analysis ID:	552947
MD5:	2ce21c68e4d03f35248689663dc820de
SHA1:	5963d9d448d322cb49f4dee613734fe030131c11
SHA256:	93d545c83fa462035ae0c2aa0036db008fc4bdf3d10ec89c6f0b6699b09c6fbf
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Detected Nanocore Rat

Yara detected Nanocore RAT

Detected unpacking (creates a PE file in dynamic memory)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses dynamic DNS services

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

filedata.exe (PID: 6760 cmdline: "C:\Users\user\Desktop\filedata.exe" MD5: 2CE21C68E4D03F35248689663DC820DE)

filedata.exe (PID: 6220 cmdline: "C:\Users\user\Desktop\filedata.exe" MD5: 2CE21C68E4D03F35248689663DC820DE)

chmac.exe (PID: 2812 cmdline: "C:\Users\user\AppData\Roaming\dihsw\chmac.exe" MD5: 2CE21C68E4D03F35248689663DC820DE)

chmac.exe (PID: 6352 cmdline: "C:\Users\user\AppData\Roaming\dihsw\chmac.exe" MD5: 2CE21C68E4D03F35248689663DC820DE)

chmac.exe (PID: 4476 cmdline: "C:\Users\user\AppData\Roaming\dihsw\chmac.exe" MD5: 2CE21C68E4D03F35248689663DC820DE)

chmac.exe (PID: 6968 cmdline: "C:\Users\user\AppData\Roaming\dihsw\chmac.exe" MD5: 2CE21C68E4D03F35248689663DC820DE)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.361160585.0000000004920000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000002.361160585.0000000004920000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0000000B.00000002.361160585.0000000004920000.00000004.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.361160585.0000000004920000.00000004.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
00000005.00000000.298557071.0000000000414000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000000.298557071.0000000000414000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000000.298557071.0000000000414000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
00000005.00000002.561118810.00000000023B0000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000002.561118810.00000000023B0000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
00000005.00000002.561118810.00000000023B0000.00000004.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.561118810.00000000023B0000.00000004.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
00000005.00000002.563662225.00000000053E0000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
00000005.00000002.563662225.00000000053E0000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
0000000B.00000002.361229829.0000000004962000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000002.361229829.0000000004962000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.361229829.0000000004962000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000008.00000000.327164969.0000000000414000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000000.327164969.0000000000414000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000000.327164969.0000000000414000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
0000000B.00000002.360739917.00000000006C4000.00000004.00000020.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x240f5:$x1: NanoCore.ClientPluginHost 0x24132:$x2: IClientNetworkHost 0x27c65:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000002.360739917.00000000006C4000.00000004.00000020.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.360739917.00000000006C4000.00000004.00000020.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x66b8:$a: NanoCore 0x23e5d:$a: NanoCore 0x23e6d:$a: NanoCore 0x240a1:$a: NanoCore 0x240b5:$a: NanoCore 0x240f5:$a: NanoCore 0x23ebc:$b: ClientPlugin 0x240be:$b: ClientPlugin 0x240fe:$b: ClientPlugin 0x23fe3:$c: ProjectData 0x249ea:$d: DESCrypto 0x2c3b6:$e: KeepAlive 0x2a3a4:$g: LogClientMessage 0x2659f:$i: get_Connected 0x24d20:$j: #=q 0x24d50:$j: #=q 0x24d6c:$j: #=q 0x24d9c:$j: #=q 0x24db8:$j: #=q 0x24dd4:$j: #=q 0x24e04:$j: #=q
00000005.00000002.561439821.00000000027A1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.564073879.0000000005420000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
00000005.00000002.564073879.0000000005420000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
00000005.00000000.297190479.0000000000414000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000000.297190479.0000000000414000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000000.297190479.0000000000414000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
00000005.00000002.562912360.0000000004A30000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
00000005.00000002.562912360.0000000004A30000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
0000000B.00000001.343397650.0000000000414000.00000040.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000001.343397650.0000000000414000.00000040.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000001.343397650.0000000000414000.00000040.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
0000000B.00000002.360475057.0000000000400000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000002.360475057.0000000000400000.00000040.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x24f5d:$x1: NanoCore Client.exe 0x251e5:$x2: NanoCore.ClientPluginHost 0x2681e:$s1: PluginCommand 0x26812:$s2: FileCommand 0x276c3:$s3: PipeExists 0x2d47a:$s4: PipeCreated 0x2520f:$s5: IClientLoggingHost
0000000B.00000002.360475057.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.360475057.0000000000400000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
00000005.00000002.563590904.00000000053D0000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
00000005.00000002.563590904.00000000053D0000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
00000007.00000002.330799074.00000000032C0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000002.330799074.00000000032C0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
00000007.00000002.330799074.00000000032C0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.330799074.00000000032C0000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
00000005.00000002.563438389.00000000053B0000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
00000005.00000002.563438389.00000000053B0000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
00000008.00000002.345221899.000000000364A000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000002.345221899.000000000364A000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x42dfd:$a: NanoCore 0x42e56:$a: NanoCore 0x42e93:$a: NanoCore 0x42f0c:$a: NanoCore 0x565b7:$a: NanoCore 0x565cc:$a: NanoCore 0x56601:$a: NanoCore 0x6f093:$a: NanoCore 0x6f0a8:$a: NanoCore 0x6f0dd:$a: NanoCore 0x42e5f:$b: ClientPlugin 0x42e9c:$b: ClientPlugin 0x4379a:$b: ClientPlugin 0x437a7:$b: ClientPlugin 0x56373:$b: ClientPlugin 0x5638e:$b: ClientPlugin 0x563be:$b: ClientPlugin 0x565d5:$b: ClientPlugin 0x5660a:$b: ClientPlugin 0x6ee4f:$b: ClientPlugin 0x6ee6a:$b: ClientPlugin
00000005.00000002.561228467.00000000023F2000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000002.561228467.00000000023F2000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.561228467.00000000023F2000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000B.00000000.342661979.0000000000414000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000000.342661979.0000000000414000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000000.342661979.0000000000414000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
00000005.00000002.562570219.0000000003B61000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.562570219.0000000003B61000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1449:$a: NanoCore 0x14a2:$a: NanoCore 0x14df:$a: NanoCore 0x1558:$a: NanoCore 0x14c03:$a: NanoCore 0x14c18:$a: NanoCore 0x14c4d:$a: NanoCore 0x14ab:$b: ClientPlugin 0x14e8:$b: ClientPlugin 0x1de6:$b: ClientPlugin 0x1df3:$b: ClientPlugin 0x149bf:$b: ClientPlugin 0x149da:$b: ClientPlugin 0x14a0a:$b: ClientPlugin 0x14c21:$b: ClientPlugin 0x14c56:$b: ClientPlugin 0x14b37:$c: ProjectData 0x1933:$g: LogClientMessage 0x18b3:$i: get_Connected 0x15486:$j: #=q 0x154b6:$j: #=q
00000008.00000002.345524498.00000000047C0000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000002.345524498.00000000047C0000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
00000008.00000002.345524498.00000000047C0000.00000004.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000002.345524498.00000000047C0000.00000004.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
00000008.00000001.328667049.0000000000414000.00000040.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000001.328667049.0000000000414000.00000040.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000001.328667049.0000000000414000.00000040.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
00000005.00000002.556140287.0000000000400000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000002.556140287.0000000000400000.00000040.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x24f5d:$x1: NanoCore Client.exe 0x251e5:$x2: NanoCore.ClientPluginHost 0x2681e:$s1: PluginCommand 0x26812:$s2: FileCommand 0x276c3:$s3: PipeExists 0x2d47a:$s4: PipeCreated 0x2520f:$s5: IClientLoggingHost
00000005.00000002.556140287.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.556140287.0000000000400000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
00000005.00000002.564478287.0000000005480000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
00000005.00000002.564478287.0000000005480000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
00000008.00000002.345668628.0000000004812000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000002.345668628.0000000004812000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000002.345668628.0000000004812000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000001.00000002.300538390.00000000023A0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.300538390.00000000023A0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
00000001.00000002.300538390.00000000023A0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.300538390.00000000023A0000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
00000008.00000002.345117243.0000000003611000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x123e5:$x1: NanoCore.ClientPluginHost 0x12422:$x2: IClientNetworkHost 0x15f55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000002.345117243.0000000003611000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000002.345117243.0000000003611000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1214d:$a: NanoCore 0x1215d:$a: NanoCore 0x12391:$a: NanoCore 0x123a5:$a: NanoCore 0x123e5:$a: NanoCore 0x121ac:$b: ClientPlugin 0x123ae:$b: ClientPlugin 0x123ee:$b: ClientPlugin 0x122d3:$c: ProjectData 0x12cda:$d: DESCrypto 0x1a6a6:$e: KeepAlive 0x18694:$g: LogClientMessage 0x1488f:$i: get_Connected 0x13010:$j: #=q 0x13040:$j: #=q 0x1305c:$j: #=q 0x1308c:$j: #=q 0x130a8:$j: #=q 0x130c4:$j: #=q 0x130f4:$j: #=q 0x13110:$j: #=q
00000005.00000002.564299116.0000000005450000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
00000005.00000002.564299116.0000000005450000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x35546:$a: NanoCore 0x3556b:$a: NanoCore 0x355c4:$a: NanoCore 0x457a3:$a: NanoCore 0x457c9:$a: NanoCore 0x45825:$a: NanoCore 0x526b7:$a: NanoCore 0x52710:$a: NanoCore 0x52743:$a: NanoCore 0x5296f:$a: NanoCore 0x529eb:$a: NanoCore 0x53004:$a: NanoCore 0x5314d:$a: NanoCore 0x53621:$a: NanoCore 0x53908:$a: NanoCore 0x5391f:$a: NanoCore 0x5c7fb:$a: NanoCore 0x5c877:$a: NanoCore 0x5f15a:$a: NanoCore 0x63904:$a: NanoCore 0x6394e:$a: NanoCore
00000005.00000002.563389843.0000000005390000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
00000005.00000002.563389843.0000000005390000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
00000008.00000002.344185437.0000000000627000.00000004.00000020.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d935:$x1: NanoCore.ClientPluginHost 0x1d972:$x2: IClientNetworkHost 0x214a5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000002.344185437.0000000000627000.00000004.00000020.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000002.344185437.0000000000627000.00000004.00000020.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4130:$a: NanoCore 0x1d69d:$a: NanoCore 0x1d6ad:$a: NanoCore 0x1d8e1:$a: NanoCore 0x1d8f5:$a: NanoCore 0x1d935:$a: NanoCore 0x1d6fc:$b: ClientPlugin 0x1d8fe:$b: ClientPlugin 0x1d93e:$b: ClientPlugin 0x1d823:$c: ProjectData 0x1e22a:$d: DESCrypto 0x25bf6:$e: KeepAlive 0x23be4:$g: LogClientMessage 0x1fddf:$i: get_Connected 0x1e560:$j: #=q 0x1e590:$j: #=q 0x1e5ac:$j: #=q 0x1e5dc:$j: #=q 0x1e5f8:$j: #=q 0x1e614:$j: #=q 0x1e644:$j: #=q
00000008.00000002.345062402.000000000261E000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x19667:$a: NanoCore 0x196c0:$a: NanoCore 0x196fd:$a: NanoCore 0x19776:$a: NanoCore 0x196c9:$b: ClientPlugin 0x19706:$b: ClientPlugin 0x1a004:$b: ClientPlugin 0x1a011:$b: ClientPlugin 0x10ed0:$e: KeepAlive 0x19b51:$g: LogClientMessage 0x19ad1:$i: get_Connected 0xb699:$j: #=q 0xb6c9:$j: #=q 0xb705:$j: #=q 0xb72d:$j: #=q 0xb75d:$j: #=q 0xb78d:$j: #=q 0xb7bd:$j: #=q 0xb7ed:$j: #=q 0xb809:$j: #=q 0xb839:$j: #=q
00000005.00000002.562144773.00000000037D5000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.562144773.00000000037D5000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6601:$a: NanoCore 0x665a:$a: NanoCore 0x6697:$a: NanoCore 0x6710:$a: NanoCore 0x19dbb:$a: NanoCore 0x19dd0:$a: NanoCore 0x19e05:$a: NanoCore 0x23c69:$a: NanoCore 0x23cc2:$a: NanoCore 0x23cff:$a: NanoCore 0x23d78:$a: NanoCore 0x37423:$a: NanoCore 0x37438:$a: NanoCore 0x3746d:$a: NanoCore 0x45082:$a: NanoCore 0x450a7:$a: NanoCore 0x45100:$a: NanoCore 0x6663:$b: ClientPlugin 0x66a0:$b: ClientPlugin 0x6f9e:$b: ClientPlugin 0x6fab:$b: ClientPlugin
0000000B.00000002.361051688.000000000381A000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.361051688.000000000381A000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x42dfd:$a: NanoCore 0x42e56:$a: NanoCore 0x42e93:$a: NanoCore 0x42f0c:$a: NanoCore 0x565b7:$a: NanoCore 0x565cc:$a: NanoCore 0x56601:$a: NanoCore 0x6f093:$a: NanoCore 0x6f0a8:$a: NanoCore 0x6f0dd:$a: NanoCore 0x42e5f:$b: ClientPlugin 0x42e9c:$b: ClientPlugin 0x4379a:$b: ClientPlugin 0x437a7:$b: ClientPlugin 0x56373:$b: ClientPlugin 0x5638e:$b: ClientPlugin 0x563be:$b: ClientPlugin 0x565d5:$b: ClientPlugin 0x5660a:$b: ClientPlugin 0x6ee4f:$b: ClientPlugin 0x6ee6a:$b: ClientPlugin
00000005.00000002.563083334.0000000004BC0000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000005.00000002.563083334.0000000004BC0000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000005.00000002.563083334.0000000004BC0000.00000004.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000002.343717430.0000000000400000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000002.343717430.0000000000400000.00000040.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x24f5d:$x1: NanoCore Client.exe 0x251e5:$x2: NanoCore.ClientPluginHost 0x2681e:$s1: PluginCommand 0x26812:$s2: FileCommand 0x276c3:$s3: PipeExists 0x2d47a:$s4: PipeCreated 0x2520f:$s5: IClientLoggingHost
00000008.00000002.343717430.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000002.343717430.0000000000400000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
00000005.00000002.563764546.00000000053F0000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
00000005.00000002.563764546.00000000053F0000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
00000005.00000002.563059058.0000000004BB0000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000005.00000002.563059058.0000000004BB0000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000005.00000001.299308522.0000000000414000.00000040.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000001.299308522.0000000000414000.00000040.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000001.299308522.0000000000414000.00000040.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
0000000B.00000000.341500174.0000000000414000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000000.341500174.0000000000414000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000000.341500174.0000000000414000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
00000005.00000002.562195683.0000000003832000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000000.325598662.0000000000414000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000000.325598662.0000000000414000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000000.325598662.0000000000414000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
00000009.00000002.345786625.0000000003180000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000009.00000002.345786625.0000000003180000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
00000009.00000002.345786625.0000000003180000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000009.00000002.345786625.0000000003180000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
00000005.00000002.559328771.0000000000614000.00000004.00000020.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x205d5:$x1: NanoCore.ClientPluginHost 0x20612:$x2: IClientNetworkHost 0x24145:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000002.559328771.0000000000614000.00000004.00000020.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.559328771.0000000000614000.00000004.00000020.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4e50:$a: NanoCore 0x2033d:$a: NanoCore 0x2034d:$a: NanoCore 0x20581:$a: NanoCore 0x20595:$a: NanoCore 0x205d5:$a: NanoCore 0x2039c:$b: ClientPlugin 0x2059e:$b: ClientPlugin 0x205de:$b: ClientPlugin 0x527e0:$b: ClientPlugin 0x5c91e:$b: ClientPlugin 0x61500:$b: ClientPlugin 0x204c3:$c: ProjectData 0x20eca:$d: DESCrypto 0x28896:$e: KeepAlive 0x26884:$g: LogClientMessage 0x22a7f:$i: get_Connected 0x21200:$j: #=q 0x21230:$j: #=q 0x2124c:$j: #=q 0x2127c:$j: #=q
00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10b2a:$a: NanoCore 0x10b4f:$a: NanoCore 0x10ba8:$a: NanoCore 0x20da3:$a: NanoCore 0x20dc9:$a: NanoCore 0x20e25:$a: NanoCore 0x2dcd3:$a: NanoCore 0x2dd2c:$a: NanoCore 0x2dd5f:$a: NanoCore 0x2df8b:$a: NanoCore 0x2e007:$a: NanoCore 0x2e620:$a: NanoCore 0x2e769:$a: NanoCore 0x2ec3d:$a: NanoCore 0x2ef24:$a: NanoCore 0x2ef3b:$a: NanoCore 0x37e33:$a: NanoCore 0x37eaf:$a: NanoCore 0x3a792:$a: NanoCore 0x3ef58:$a: NanoCore 0x3efa2:$a: NanoCore
00000005.00000002.563366604.0000000005370000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
00000005.00000002.563366604.0000000005370000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
0000000B.00000002.360974701.00000000027EE000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x19667:$a: NanoCore 0x196c0:$a: NanoCore 0x196fd:$a: NanoCore 0x19776:$a: NanoCore 0x196c9:$b: ClientPlugin 0x19706:$b: ClientPlugin 0x1a004:$b: ClientPlugin 0x1a011:$b: ClientPlugin 0x10ed0:$e: KeepAlive 0x19b51:$g: LogClientMessage 0x19ad1:$i: get_Connected 0xb699:$j: #=q 0xb6c9:$j: #=q 0xb705:$j: #=q 0xb72d:$j: #=q 0xb75d:$j: #=q 0xb78d:$j: #=q 0xb7bd:$j: #=q 0xb7ed:$j: #=q 0xb809:$j: #=q 0xb839:$j: #=q
0000000B.00000002.361014751.00000000037E1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x123e5:$x1: NanoCore.ClientPluginHost 0x12422:$x2: IClientNetworkHost 0x15f55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000002.361014751.00000000037E1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.361014751.00000000037E1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1214d:$a: NanoCore 0x1215d:$a: NanoCore 0x12391:$a: NanoCore 0x123a5:$a: NanoCore 0x123e5:$a: NanoCore 0x121ac:$b: ClientPlugin 0x123ae:$b: ClientPlugin 0x123ee:$b: ClientPlugin 0x122d3:$c: ProjectData 0x12cda:$d: DESCrypto 0x1a6a6:$e: KeepAlive 0x18694:$g: LogClientMessage 0x1488f:$i: get_Connected 0x13010:$j: #=q 0x13040:$j: #=q 0x1305c:$j: #=q 0x1308c:$j: #=q 0x130a8:$j: #=q 0x130c4:$j: #=q 0x130f4:$j: #=q 0x13110:$j: #=q
00000005.00000002.563890986.0000000005400000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
00000005.00000002.563890986.0000000005400000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xeb1f:$a: NanoCore 0xeb44:$a: NanoCore 0xeb9d:$a: NanoCore 0x1ed3c:$a: NanoCore 0x1ed62:$a: NanoCore 0x1edbe:$a: NanoCore 0x2bc15:$a: NanoCore 0x2bc6e:$a: NanoCore 0x2bca1:$a: NanoCore 0x2becd:$a: NanoCore 0x2bf49:$a: NanoCore 0x2c562:$a: NanoCore 0x2c6ab:$a: NanoCore 0x2cb7f:$a: NanoCore 0x2ce66:$a: NanoCore 0x2ce7d:$a: NanoCore 0x35d21:$a: NanoCore 0x35d9d:$a: NanoCore 0x38680:$a: NanoCore 0x3ba32:$a: NanoCore 0x3cdee:$a: NanoCore
00000005.00000002.564263969.0000000005440000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
00000005.00000002.564263969.0000000005440000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
Process Memory Space: filedata.exe PID: 6760	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd1452:$x1: NanoCore.ClientPluginHost 0xd148f:$x2: IClientNetworkHost 0xd4f80:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xdffbf:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: filedata.exe PID: 6760	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: filedata.exe PID: 6760	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xd111f:$a: NanoCore 0xd112f:$a: NanoCore 0xd11ee:$a: NanoCore 0xd11fd:$a: NanoCore 0xd13fe:$a: NanoCore 0xd1412:$a: NanoCore 0xd1452:$a: NanoCore 0xdc629:$a: NanoCore 0xdc63b:$a: NanoCore 0xdc677:$a: NanoCore 0xd117e:$b: ClientPlugin 0xd1247:$b: ClientPlugin 0xd141b:$b: ClientPlugin 0xd145b:$b: ClientPlugin 0xdc644:$b: ClientPlugin 0xdc680:$b: ClientPlugin 0xd1340:$c: ProjectData 0xdc576:$c: ProjectData 0xd1d14:$d: DESCrypto 0xdced4:$d: DESCrypto 0xd96d1:$e: KeepAlive
Process Memory Space: filedata.exe PID: 6220	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x65b7:$x1: NanoCore.ClientPluginHost 0x219af:$x1: NanoCore.ClientPluginHost 0x40010:$x1: NanoCore.ClientPluginHost 0x6827b:$x1: NanoCore.ClientPluginHost 0x7b08e:$x1: NanoCore.ClientPluginHost 0x84f04:$x1: NanoCore.ClientPluginHost 0x94433:$x1: NanoCore.ClientPluginHost 0x98350:$x1: NanoCore.ClientPluginHost 0x9f8ef:$x1: NanoCore.ClientPluginHost 0xc1562:$x1: NanoCore.ClientPluginHost 0xd37b1:$x1: NanoCore.ClientPluginHost 0xee2e5:$x1: NanoCore.ClientPluginHost 0x12b33f:$x1: NanoCore.ClientPluginHost 0x16d989:$x1: NanoCore.ClientPluginHost 0x18a401:$x1: NanoCore.ClientPluginHost 0x1ae7af:$x1: NanoCore.ClientPluginHost 0x1cddb0:$x1: NanoCore.ClientPluginHost 0x1ddfb0:$x1: NanoCore.ClientPluginHost 0x203303:$x1: NanoCore.ClientPluginHost 0x22cde7:$x1: NanoCore.ClientPluginHost 0x23f536:$x1: NanoCore.ClientPluginHost
Process Memory Space: filedata.exe PID: 6220	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: filedata.exe PID: 6220	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6284:$a: NanoCore 0x6294:$a: NanoCore 0x6353:$a: NanoCore 0x6362:$a: NanoCore 0x6563:$a: NanoCore 0x6577:$a: NanoCore 0x65b7:$a: NanoCore 0x117d5:$a: NanoCore 0x117e7:$a: NanoCore 0x11823:$a: NanoCore 0x2167c:$a: NanoCore 0x2168c:$a: NanoCore 0x2174b:$a: NanoCore 0x2175a:$a: NanoCore 0x2195b:$a: NanoCore 0x2196f:$a: NanoCore 0x219af:$a: NanoCore 0x2cbcd:$a: NanoCore 0x2cbdf:$a: NanoCore 0x2cc1b:$a: NanoCore 0x40010:$a: NanoCore
Process Memory Space: chmac.exe PID: 2812	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd22eb:$x1: NanoCore.ClientPluginHost 0xd2328:$x2: IClientNetworkHost 0xd5e19:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xe0e58:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: chmac.exe PID: 2812	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: chmac.exe PID: 2812	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xd1fb8:$a: NanoCore 0xd1fc8:$a: NanoCore 0xd2087:$a: NanoCore 0xd2096:$a: NanoCore 0xd2297:$a: NanoCore 0xd22ab:$a: NanoCore 0xd22eb:$a: NanoCore 0xdd4c2:$a: NanoCore 0xdd4d4:$a: NanoCore 0xdd510:$a: NanoCore 0xd2017:$b: ClientPlugin 0xd20e0:$b: ClientPlugin 0xd22b4:$b: ClientPlugin 0xd22f4:$b: ClientPlugin 0xdd4dd:$b: ClientPlugin 0xdd519:$b: ClientPlugin 0xd21d9:$c: ProjectData 0xdd40f:$c: ProjectData 0xd2bad:$d: DESCrypto 0xddd6d:$d: DESCrypto 0xda56a:$e: KeepAlive
Process Memory Space: chmac.exe PID: 6352	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10a21:$x1: NanoCore.ClientPluginHost 0x2afb6:$x1: NanoCore.ClientPluginHost 0x3f9cf:$x1: NanoCore.ClientPluginHost 0x587e7:$x1: NanoCore.ClientPluginHost 0x705c2:$x1: NanoCore.ClientPluginHost 0x89105:$x1: NanoCore.ClientPluginHost 0xaa6ab:$x1: NanoCore.ClientPluginHost 0xb29af:$x1: NanoCore.ClientPluginHost 0x10a5e:$x2: IClientNetworkHost 0x2afd0:$x2: IClientNetworkHost 0x3fa0c:$x2: IClientNetworkHost 0x58824:$x2: IClientNetworkHost 0x705ff:$x2: IClientNetworkHost 0x89142:$x2: IClientNetworkHost 0xaa6c5:$x2: IClientNetworkHost 0xb29ec:$x2: IClientNetworkHost 0x1454f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1f5d5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x434fd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4e583:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5c315:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: chmac.exe PID: 6352	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: chmac.exe PID: 6352	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x106ee:$a: NanoCore 0x106fe:$a: NanoCore 0x107bd:$a: NanoCore 0x107cc:$a: NanoCore 0x109cd:$a: NanoCore 0x109e1:$a: NanoCore 0x10a21:$a: NanoCore 0x1bc3f:$a: NanoCore 0x1bc51:$a: NanoCore 0x1bc8d:$a: NanoCore 0x2af20:$a: NanoCore 0x2af79:$a: NanoCore 0x2afb6:$a: NanoCore 0x2b02f:$a: NanoCore 0x2b8e8:$a: NanoCore 0x2b93b:$a: NanoCore 0x2b974:$a: NanoCore 0x2b9e7:$a: NanoCore 0x32fb9:$a: NanoCore 0x32fcc:$a: NanoCore 0x32ffe:$a: NanoCore
Process Memory Space: chmac.exe PID: 4476	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd4535:$x1: NanoCore.ClientPluginHost 0xd4572:$x2: IClientNetworkHost 0xd8063:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xe30a2:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: chmac.exe PID: 4476	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: chmac.exe PID: 4476	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xd4202:$a: NanoCore 0xd4212:$a: NanoCore 0xd42d1:$a: NanoCore 0xd42e0:$a: NanoCore 0xd44e1:$a: NanoCore 0xd44f5:$a: NanoCore 0xd4535:$a: NanoCore 0xdf70c:$a: NanoCore 0xdf71e:$a: NanoCore 0xdf75a:$a: NanoCore 0xd4261:$b: ClientPlugin 0xd432a:$b: ClientPlugin 0xd44fe:$b: ClientPlugin 0xd453e:$b: ClientPlugin 0xdf727:$b: ClientPlugin 0xdf763:$b: ClientPlugin 0xd4423:$c: ProjectData 0xdf659:$c: ProjectData 0xd4df7:$d: DESCrypto 0xdffb7:$d: DESCrypto 0xdc7b4:$e: KeepAlive
Process Memory Space: chmac.exe PID: 6968	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xde3:$x1: NanoCore.ClientPluginHost 0x29451:$x1: NanoCore.ClientPluginHost 0x42b46:$x1: NanoCore.ClientPluginHost 0x5ee27:$x1: NanoCore.ClientPluginHost 0x768d7:$x1: NanoCore.ClientPluginHost 0x92c4b:$x1: NanoCore.ClientPluginHost 0xb3cb0:$x1: NanoCore.ClientPluginHost 0xb6f75:$x1: NanoCore.ClientPluginHost 0xe20:$x2: IClientNetworkHost 0x2948e:$x2: IClientNetworkHost 0x42b83:$x2: IClientNetworkHost 0x5ee64:$x2: IClientNetworkHost 0x76914:$x2: IClientNetworkHost 0x92c65:$x2: IClientNetworkHost 0xb3cca:$x2: IClientNetworkHost 0xb6fb2:$x2: IClientNetworkHost 0x4911:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xf997:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2cf7f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x38005:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46674:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: chmac.exe PID: 6968	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: chmac.exe PID: 6968	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xab0:$a: NanoCore 0xac0:$a: NanoCore 0xb7f:$a: NanoCore 0xb8e:$a: NanoCore 0xd8f:$a: NanoCore 0xda3:$a: NanoCore 0xde3:$a: NanoCore 0xc001:$a: NanoCore 0xc013:$a: NanoCore 0xc04f:$a: NanoCore 0x1b556:$a: NanoCore 0x1b5c3:$a: NanoCore 0x1b636:$a: NanoCore 0x2911e:$a: NanoCore 0x2912e:$a: NanoCore 0x291ed:$a: NanoCore 0x291fc:$a: NanoCore 0x293fd:$a: NanoCore 0x29411:$a: NanoCore 0x29451:$a: NanoCore 0x3466f:$a: NanoCore
Click to see the 144 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.filedata.exe.5370000.34.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
5.2.filedata.exe.5370000.34.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
5.2.filedata.exe.383df59.19.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x7eb2e:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x7eb48:$x2: IClientNetworkHost
5.2.filedata.exe.383df59.19.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x7eb2e:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x7fb63:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x7eb1b:$s5: IClientLoggingHost
5.2.filedata.exe.383df59.19.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.filedata.exe.4bc0000.32.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
5.2.filedata.exe.4bc0000.32.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
5.2.filedata.exe.4bc0000.32.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.filedata.exe.3b6aac9.26.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
5.2.filedata.exe.3b6aac9.26.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
5.2.filedata.exe.3b6aac9.26.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.filedata.exe.5450000.43.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
5.2.filedata.exe.5450000.43.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
5.2.filedata.exe.53f0000.39.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
5.2.filedata.exe.53f0000.39.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
8.2.chmac.exe.3613258.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.2.chmac.exe.3613258.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
8.2.chmac.exe.3613258.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.chmac.exe.3613258.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
11.0.chmac.exe.400000.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.0.chmac.exe.400000.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
11.0.chmac.exe.400000.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.0.chmac.exe.400000.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
11.2.chmac.exe.37e3258.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.chmac.exe.37e3258.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
11.2.chmac.exe.37e3258.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.chmac.exe.37e3258.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
8.2.chmac.exe.47c0000.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.2.chmac.exe.47c0000.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
8.2.chmac.exe.47c0000.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.chmac.exe.47c0000.8.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
8.2.chmac.exe.3690e54.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28289:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x282b6:$x2: IClientNetworkHost
8.2.chmac.exe.3690e54.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28289:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29364:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x282a3:$s5: IClientLoggingHost
8.2.chmac.exe.3690e54.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.filedata.exe.23b1458.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.filedata.exe.23b1458.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.2.filedata.exe.23b1458.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.filedata.exe.23b1458.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.filedata.exe.2970224.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d67:$x1: NanoCore.ClientPluginHost 0x1fc0f:$x1: NanoCore.ClientPluginHost 0x26d34:$x1: NanoCore.ClientPluginHost 0x2d015:$x1: NanoCore.ClientPluginHost 0x3767b:$x1: NanoCore.ClientPluginHost 0x41aff:$x1: NanoCore.ClientPluginHost 0x4cb39:$x1: NanoCore.ClientPluginHost 0x58937:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15da0:$x2: IClientNetworkHost 0x1fc48:$x2: IClientNetworkHost 0x2d04e:$x2: IClientNetworkHost 0x377d8:$x2: IClientNetworkHost 0x41b38:$x2: IClientNetworkHost 0x4cb53:$x2: IClientNetworkHost 0x58951:$x2: IClientNetworkHost
5.2.filedata.exe.2970224.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x15d67:$x2: NanoCore.ClientPluginHost 0x1fc0f:$x2: NanoCore.ClientPluginHost 0x26d34:$x2: NanoCore.ClientPluginHost 0x2d015:$x2: NanoCore.ClientPluginHost 0x3767b:$x2: NanoCore.ClientPluginHost 0x41aff:$x2: NanoCore.ClientPluginHost 0x4cb39:$x2: NanoCore.ClientPluginHost 0x58937:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0x385d1:$s3: PipeExists 0xe576:$s4: PipeCreated 0x15e84:$s4: PipeCreated 0x1fd13:$s4: PipeCreated 0x26e12:$s4: PipeCreated 0x2d130:$s4: PipeCreated 0x37871:$s4: PipeCreated 0x41c4a:$s4: PipeCreated 0x4db6e:$s4: PipeCreated 0x5a6e2:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
5.2.filedata.exe.2970224.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15aaf:$a: NanoCore 0x15b08:$a: NanoCore 0x15b3b:$a: NanoCore 0x15d67:$a: NanoCore 0x15de3:$a: NanoCore 0x163fc:$a: NanoCore 0x16545:$a: NanoCore 0x16a19:$a: NanoCore 0x16d00:$a: NanoCore 0x16d17:$a: NanoCore 0x1fc0f:$a: NanoCore 0x1fc8b:$a: NanoCore 0x2256e:$a: NanoCore 0x26d34:$a: NanoCore 0x26d7e:$a: NanoCore 0x279d8:$a: NanoCore 0x2d015:$a: NanoCore 0x2d08f:$a: NanoCore
5.0.filedata.exe.400000.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.filedata.exe.400000.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
5.0.filedata.exe.400000.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.filedata.exe.400000.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
11.1.chmac.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.1.chmac.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
11.1.chmac.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.1.chmac.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
11.2.chmac.exe.2806888.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
11.2.chmac.exe.2806888.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
5.2.filedata.exe.284528c.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0xb56f:$x1: NanoCore.ClientPluginHost 0x12678:$x1: NanoCore.ClientPluginHost 0x1893d:$x1: NanoCore.ClientPluginHost 0x22f87:$x1: NanoCore.ClientPluginHost 0x2d3ef:$x1: NanoCore.ClientPluginHost 0x3840d:$x1: NanoCore.ClientPluginHost 0x441ef:$x1: NanoCore.ClientPluginHost 0x4ffb6:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost 0xb5a8:$x2: IClientNetworkHost 0x18976:$x2: IClientNetworkHost 0x230e4:$x2: IClientNetworkHost 0x2d428:$x2: IClientNetworkHost 0x38427:$x2: IClientNetworkHost 0x44209:$x2: IClientNetworkHost 0x4fff3:$x2: IClientNetworkHost
5.2.filedata.exe.284528c.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb56f:$a: NanoCore 0xb5eb:$a: NanoCore 0xdece:$a: NanoCore 0x12678:$a: NanoCore 0x126c2:$a: NanoCore 0x1331c:$a: NanoCore 0x1893d:$a: NanoCore 0x189b7:$a: NanoCore 0x22f87:$a: NanoCore 0x23071:$a: NanoCore 0x23ee8:$a: NanoCore
5.2.filedata.exe.37a3248.13.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
5.2.filedata.exe.37a3248.13.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
5.2.filedata.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.filedata.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
5.2.filedata.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.filedata.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
9.2.chmac.exe.3180000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
9.2.chmac.exe.3180000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
9.2.chmac.exe.3180000.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.chmac.exe.3180000.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
8.0.chmac.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x85e5:$x1: NanoCore.ClientPluginHost 0x8622:$x2: IClientNetworkHost 0xc155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.0.chmac.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x835d:$x1: NanoCore Client.exe 0x85e5:$x2: NanoCore.ClientPluginHost 0x9c1e:$s1: PluginCommand 0x9c12:$s2: FileCommand 0xaac3:$s3: PipeExists 0x1087a:$s4: PipeCreated 0x860f:$s5: IClientLoggingHost
8.0.chmac.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.0.chmac.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x834d:$a: NanoCore 0x835d:$a: NanoCore 0x8591:$a: NanoCore 0x85a5:$a: NanoCore 0x85e5:$a: NanoCore 0x83ac:$b: ClientPlugin 0x85ae:$b: ClientPlugin 0x85ee:$b: ClientPlugin 0x84d3:$c: ProjectData 0x8eda:$d: DESCrypto 0x108a6:$e: KeepAlive 0xe894:$g: LogClientMessage 0xaa8f:$i: get_Connected 0x9210:$j: #=q 0x9240:$j: #=q 0x925c:$j: #=q 0x928c:$j: #=q 0x92a8:$j: #=q 0x92c4:$j: #=q 0x92f4:$j: #=q 0x9310:$j: #=q
11.2.chmac.exe.6d7f68.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.chmac.exe.6d7f68.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
11.2.chmac.exe.6d7f68.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.chmac.exe.6d7f68.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.2.filedata.exe.3a867ea.23.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0xb537:$x1: NanoCore.ClientPluginHost 0x12604:$x1: NanoCore.ClientPluginHost 0x1888f:$x1: NanoCore.ClientPluginHost 0x22ea0:$x1: NanoCore.ClientPluginHost 0x2d2cd:$x1: NanoCore.ClientPluginHost 0x382ac:$x1: NanoCore.ClientPluginHost 0x44050:$x1: NanoCore.ClientPluginHost 0x68f56:$x1: NanoCore.ClientPluginHost 0x78398:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost 0xb570:$x2: IClientNetworkHost 0x188c8:$x2: IClientNetworkHost 0x22ffd:$x2: IClientNetworkHost 0x2d306:$x2: IClientNetworkHost 0x382c6:$x2: IClientNetworkHost 0x4406a:$x2: IClientNetworkHost 0x68f70:$x2: IClientNetworkHost 0x783d5:$x2: IClientNetworkHost
5.2.filedata.exe.3a867ea.23.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0xb537:$x2: NanoCore.ClientPluginHost 0x12604:$x2: NanoCore.ClientPluginHost 0x1888f:$x2: NanoCore.ClientPluginHost 0x22ea0:$x2: NanoCore.ClientPluginHost 0x2d2cd:$x2: NanoCore.ClientPluginHost 0x382ac:$x2: NanoCore.ClientPluginHost 0x44050:$x2: NanoCore.ClientPluginHost 0x68f56:$x2: NanoCore.ClientPluginHost 0x78398:$x2: NanoCore.ClientPluginHost 0x23df6:$s3: PipeExists 0x1800:$s4: PipeCreated 0xb63b:$s4: PipeCreated 0x126e2:$s4: PipeCreated 0x189aa:$s4: PipeCreated 0x23096:$s4: PipeCreated 0x2d418:$s4: PipeCreated 0x392e1:$s4: PipeCreated 0x45dfb:$s4: PipeCreated 0x6c293:$s4: PipeCreated 0x7b7eb:$s4: PipeCreated
5.2.filedata.exe.3a867ea.23.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb537:$a: NanoCore 0xb5b3:$a: NanoCore 0xde96:$a: NanoCore 0x11248:$a: NanoCore 0x12604:$a: NanoCore 0x1264e:$a: NanoCore 0x132a8:$a: NanoCore 0x1888f:$a: NanoCore 0x18909:$a: NanoCore 0x22ea0:$a: NanoCore 0x22f8a:$a: NanoCore
5.2.filedata.exe.2830c24.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
5.2.filedata.exe.2830c24.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
8.2.chmac.exe.4810000.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.2.chmac.exe.4810000.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
8.2.chmac.exe.4810000.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.chmac.exe.4810000.9.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.2.chmac.exe.32d1458.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.chmac.exe.32d1458.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.2.chmac.exe.32d1458.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.chmac.exe.32d1458.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.filedata.exe.3a721bd.24.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
5.2.filedata.exe.3a721bd.24.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
11.2.chmac.exe.415058.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.chmac.exe.415058.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
11.2.chmac.exe.415058.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.chmac.exe.415058.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
11.0.chmac.exe.400000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.0.chmac.exe.400000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
11.0.chmac.exe.400000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.0.chmac.exe.400000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
8.1.chmac.exe.415058.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.1.chmac.exe.415058.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
8.1.chmac.exe.415058.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.1.chmac.exe.415058.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.filedata.exe.545e8a4.44.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
5.2.filedata.exe.545e8a4.44.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
8.1.chmac.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.1.chmac.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
8.1.chmac.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.1.chmac.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
5.2.filedata.exe.29848a8.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0xb58b:$x1: NanoCore.ClientPluginHost 0x126b0:$x1: NanoCore.ClientPluginHost 0x18991:$x1: NanoCore.ClientPluginHost 0x22ff7:$x1: NanoCore.ClientPluginHost 0x2d47b:$x1: NanoCore.ClientPluginHost 0x384b5:$x1: NanoCore.ClientPluginHost 0x442b3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost 0xb5c4:$x2: IClientNetworkHost 0x189ca:$x2: IClientNetworkHost 0x23154:$x2: IClientNetworkHost 0x2d4b4:$x2: IClientNetworkHost 0x384cf:$x2: IClientNetworkHost 0x442cd:$x2: IClientNetworkHost
5.2.filedata.exe.29848a8.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0xb58b:$x2: NanoCore.ClientPluginHost 0x126b0:$x2: NanoCore.ClientPluginHost 0x18991:$x2: NanoCore.ClientPluginHost 0x22ff7:$x2: NanoCore.ClientPluginHost 0x2d47b:$x2: NanoCore.ClientPluginHost 0x384b5:$x2: NanoCore.ClientPluginHost 0x442b3:$x2: NanoCore.ClientPluginHost 0x23f4d:$s3: PipeExists 0x1800:$s4: PipeCreated 0xb68f:$s4: PipeCreated 0x1278e:$s4: PipeCreated 0x18aac:$s4: PipeCreated 0x231ed:$s4: PipeCreated 0x2d5c6:$s4: PipeCreated 0x394ea:$s4: PipeCreated 0x4605e:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost 0xb5a5:$s5: IClientLoggingHost 0x126ca:$s5: IClientLoggingHost 0x189ab:$s5: IClientLoggingHost
5.2.filedata.exe.29848a8.10.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb58b:$a: NanoCore 0xb607:$a: NanoCore 0xdeea:$a: NanoCore 0x126b0:$a: NanoCore 0x126fa:$a: NanoCore 0x13354:$a: NanoCore 0x18991:$a: NanoCore 0x18a0b:$a: NanoCore 0x22ff7:$a: NanoCore 0x230e1:$a: NanoCore 0x23f58:$a: NanoCore
5.2.filedata.exe.5400000.40.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
5.2.filedata.exe.5400000.40.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
8.0.chmac.exe.415058.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.0.chmac.exe.415058.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
8.0.chmac.exe.415058.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.0.chmac.exe.415058.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.2.filedata.exe.23a0000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d9e5:$x1: NanoCore.ClientPluginHost 0x1da22:$x2: IClientNetworkHost 0x21555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.filedata.exe.23a0000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d75d:$x1: NanoCore Client.exe 0x1d9e5:$x2: NanoCore.ClientPluginHost 0x1f01e:$s1: PluginCommand 0x1f012:$s2: FileCommand 0x1fec3:$s3: PipeExists 0x25c7a:$s4: PipeCreated 0x1da0f:$s5: IClientLoggingHost
1.2.filedata.exe.23a0000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.filedata.exe.23a0000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1d74d:$a: NanoCore 0x1d75d:$a: NanoCore 0x1d991:$a: NanoCore 0x1d9a5:$a: NanoCore 0x1d9e5:$a: NanoCore 0x1d7ac:$b: ClientPlugin 0x1d9ae:$b: ClientPlugin 0x1d9ee:$b: ClientPlugin 0x1d8d3:$c: ProjectData 0x1e2da:$d: DESCrypto 0x25ca6:$e: KeepAlive 0x23c94:$g: LogClientMessage 0x1fe8f:$i: get_Connected 0x1e610:$j: #=q 0x1e640:$j: #=q 0x1e65c:$j: #=q 0x1e68c:$j: #=q 0x1e6a8:$j: #=q 0x1e6c4:$j: #=q 0x1e6f4:$j: #=q 0x1e710:$j: #=q
11.0.chmac.exe.415058.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.0.chmac.exe.415058.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
11.0.chmac.exe.415058.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.0.chmac.exe.415058.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
11.2.chmac.exe.400000.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.chmac.exe.400000.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x24f5d:$x1: NanoCore Client.exe 0x251e5:$x2: NanoCore.ClientPluginHost 0x2681e:$s1: PluginCommand 0x26812:$s2: FileCommand 0x276c3:$s3: PipeExists 0x2d47a:$s4: PipeCreated 0x2520f:$s5: IClientLoggingHost
11.2.chmac.exe.400000.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.chmac.exe.400000.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
8.2.chmac.exe.415058.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.2.chmac.exe.415058.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
8.2.chmac.exe.415058.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.chmac.exe.415058.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.2.filedata.exe.5454c9f.45.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
5.2.filedata.exe.5454c9f.45.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
5.2.filedata.exe.4bc4629.31.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
5.2.filedata.exe.4bc4629.31.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
5.2.filedata.exe.4bc4629.31.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.filedata.exe.28249b0.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14e19:$x1: NanoCore.ClientPluginHost 0x21fbf:$x1: NanoCore.ClientPluginHost 0x2be4b:$x1: NanoCore.ClientPluginHost 0x32f54:$x1: NanoCore.ClientPluginHost 0x39219:$x1: NanoCore.ClientPluginHost 0x43863:$x1: NanoCore.ClientPluginHost 0x4dccb:$x1: NanoCore.ClientPluginHost 0x58ce9:$x1: NanoCore.ClientPluginHost 0x64acb:$x1: NanoCore.ClientPluginHost 0x70892:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e46:$x2: IClientNetworkHost 0x21ff8:$x2: IClientNetworkHost 0x2be84:$x2: IClientNetworkHost 0x39252:$x2: IClientNetworkHost 0x439c0:$x2: IClientNetworkHost 0x4dd04:$x2: IClientNetworkHost 0x58d03:$x2: IClientNetworkHost 0x64ae5:$x2: IClientNetworkHost 0x708cf:$x2: IClientNetworkHost
5.2.filedata.exe.28249b0.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14df3:$a: NanoCore 0x14e19:$a: NanoCore 0x14e75:$a: NanoCore 0x21d07:$a: NanoCore 0x21d60:$a: NanoCore 0x21d93:$a: NanoCore 0x21fbf:$a: NanoCore 0x2203b:$a: NanoCore 0x22654:$a: NanoCore 0x2279d:$a: NanoCore 0x22c71:$a: NanoCore 0x22f58:$a: NanoCore 0x22f6f:$a: NanoCore 0x2be4b:$a: NanoCore 0x2bec7:$a: NanoCore 0x2e7aa:$a: NanoCore 0x32f54:$a: NanoCore 0x32f9e:$a: NanoCore
5.2.filedata.exe.3839930.18.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x83157:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x83171:$x2: IClientNetworkHost
5.2.filedata.exe.3839930.18.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x83157:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x8418c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x83144:$s5: IClientLoggingHost
5.2.filedata.exe.3839930.18.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.0.chmac.exe.415058.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.0.chmac.exe.415058.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
11.0.chmac.exe.415058.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.0.chmac.exe.415058.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
11.2.chmac.exe.4920000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.chmac.exe.4920000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
11.2.chmac.exe.4920000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.chmac.exe.4920000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.2.filedata.exe.415058.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.filedata.exe.415058.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.2.filedata.exe.415058.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.filedata.exe.415058.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.0.filedata.exe.415058.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.filedata.exe.415058.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.0.filedata.exe.415058.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.filedata.exe.415058.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
11.2.chmac.exe.4920000.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.chmac.exe.4920000.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
11.2.chmac.exe.4920000.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.chmac.exe.4920000.8.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
8.0.chmac.exe.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.0.chmac.exe.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
8.0.chmac.exe.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.0.chmac.exe.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
5.0.filedata.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.filedata.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
5.0.filedata.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.filedata.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
5.2.filedata.exe.37da822.17.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x1e4dd:$x1: NanoCore.ClientPluginHost 0x31c4b:$x1: NanoCore.ClientPluginHost 0x3f885:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x1e4f7:$x2: IClientNetworkHost 0x31c78:$x2: IClientNetworkHost 0x3f8af:$x2: IClientNetworkHost
5.2.filedata.exe.37da822.17.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x1e4dd:$x2: NanoCore.ClientPluginHost 0x31c4b:$x2: NanoCore.ClientPluginHost 0x3f885:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1e8c9:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x1e79e:$s4: PipeCreated 0x32d26:$s4: PipeCreated 0x41735:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x1e518:$s5: IClientLoggingHost 0x31c65:$s5: IClientLoggingHost
5.2.filedata.exe.37da822.17.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.filedata.exe.37da822.17.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x1e447:$a: NanoCore 0x1e4a0:$a: NanoCore 0x1e4dd:$a: NanoCore 0x1e556:$a: NanoCore 0x31c01:$a: NanoCore 0x31c16:$a: NanoCore 0x31c4b:$a: NanoCore 0x3f860:$a: NanoCore 0x3f885:$a: NanoCore 0x3f8de:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin
5.2.filedata.exe.53e0000.38.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
5.2.filedata.exe.53e0000.38.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x605:$x2: NanoCore.ClientPluginHost 0x720:$s4: PipeCreated 0x61f:$s5: IClientLoggingHost
8.0.chmac.exe.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.0.chmac.exe.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
8.0.chmac.exe.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.0.chmac.exe.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
5.2.filedata.exe.3839930.18.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
5.2.filedata.exe.3839930.18.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
5.2.filedata.exe.3839930.18.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.0.chmac.exe.415058.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.0.chmac.exe.415058.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
11.0.chmac.exe.415058.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.0.chmac.exe.415058.9.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
8.0.chmac.exe.415058.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.0.chmac.exe.415058.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
8.0.chmac.exe.415058.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.0.chmac.exe.415058.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
9.2.chmac.exe.3180000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d9e5:$x1: NanoCore.ClientPluginHost 0x1da22:$x2: IClientNetworkHost 0x21555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
9.2.chmac.exe.3180000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d75d:$x1: NanoCore Client.exe 0x1d9e5:$x2: NanoCore.ClientPluginHost 0x1f01e:$s1: PluginCommand 0x1f012:$s2: FileCommand 0x1fec3:$s3: PipeExists 0x25c7a:$s4: PipeCreated 0x1da0f:$s5: IClientLoggingHost
9.2.chmac.exe.3180000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.chmac.exe.3180000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1d74d:$a: NanoCore 0x1d75d:$a: NanoCore 0x1d991:$a: NanoCore 0x1d9a5:$a: NanoCore 0x1d9e5:$a: NanoCore 0x1d7ac:$b: ClientPlugin 0x1d9ae:$b: ClientPlugin 0x1d9ee:$b: ClientPlugin 0x1d8d3:$c: ProjectData 0x1e2da:$d: DESCrypto 0x25ca6:$e: KeepAlive 0x23c94:$g: LogClientMessage 0x1fe8f:$i: get_Connected 0x1e610:$j: #=q 0x1e640:$j: #=q 0x1e65c:$j: #=q 0x1e68c:$j: #=q 0x1e6a8:$j: #=q 0x1e6c4:$j: #=q 0x1e6f4:$j: #=q 0x1e710:$j: #=q
5.2.filedata.exe.23b0000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.filedata.exe.23b0000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.2.filedata.exe.23b0000.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.filedata.exe.23b0000.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
8.2.chmac.exe.3613258.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.2.chmac.exe.3613258.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
8.2.chmac.exe.3613258.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.chmac.exe.3613258.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
8.0.chmac.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.0.chmac.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
8.0.chmac.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.0.chmac.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
8.2.chmac.exe.415058.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.2.chmac.exe.415058.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
8.2.chmac.exe.415058.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.chmac.exe.415058.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.filedata.exe.37df658.16.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x196a7:$x1: NanoCore.ClientPluginHost 0x2ce15:$x1: NanoCore.ClientPluginHost 0x3aa4f:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x196c1:$x2: IClientNetworkHost 0x2ce42:$x2: IClientNetworkHost 0x3aa79:$x2: IClientNetworkHost
5.2.filedata.exe.37df658.16.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x196a7:$x2: NanoCore.ClientPluginHost 0x2ce15:$x2: NanoCore.ClientPluginHost 0x3aa4f:$x2: NanoCore.ClientPluginHost 0x19a93:$s3: PipeExists 0x10888:$s4: PipeCreated 0x19968:$s4: PipeCreated 0x2def0:$s4: PipeCreated 0x3c8ff:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x196e2:$s5: IClientLoggingHost 0x2ce2f:$s5: IClientLoggingHost
5.2.filedata.exe.37df658.16.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.filedata.exe.37df658.16.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf763:$a: NanoCore 0xf778:$a: NanoCore 0xf7ad:$a: NanoCore 0x19611:$a: NanoCore 0x1966a:$a: NanoCore 0x196a7:$a: NanoCore 0x19720:$a: NanoCore 0x2cdcb:$a: NanoCore 0x2cde0:$a: NanoCore 0x2ce15:$a: NanoCore 0x3aa2a:$a: NanoCore 0x3aa4f:$a: NanoCore 0x3aaa8:$a: NanoCore 0xf51f:$b: ClientPlugin 0xf53a:$b: ClientPlugin 0xf56a:$b: ClientPlugin 0xf781:$b: ClientPlugin 0xf7b6:$b: ClientPlugin 0x19673:$b: ClientPlugin 0x196b0:$b: ClientPlugin 0x19fae:$b: ClientPlugin
11.2.chmac.exe.3860e54.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28289:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x282b6:$x2: IClientNetworkHost
11.2.chmac.exe.3860e54.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28289:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29364:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x282a3:$s5: IClientLoggingHost
11.2.chmac.exe.3860e54.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.filedata.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.filedata.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
5.0.filedata.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.filedata.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
8.2.chmac.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.2.chmac.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
8.2.chmac.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.chmac.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
1.2.filedata.exe.23b1458.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.filedata.exe.23b1458.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.2.filedata.exe.23b1458.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.filedata.exe.23b1458.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.2.filedata.exe.37b1aec.14.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
5.2.filedata.exe.37b1aec.14.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
8.0.chmac.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.0.chmac.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
8.0.chmac.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.0.chmac.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
11.1.chmac.exe.415058.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.1.chmac.exe.415058.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
11.1.chmac.exe.415058.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.1.chmac.exe.415058.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.2.filedata.exe.5480000.46.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
5.2.filedata.exe.5480000.46.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
5.1.filedata.exe.415058.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.1.filedata.exe.415058.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
5.1.filedata.exe.415058.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.1.filedata.exe.415058.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.2.filedata.exe.3b664a0.28.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
5.2.filedata.exe.3b664a0.28.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
5.2.filedata.exe.3b664a0.28.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.1.filedata.exe.415058.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.1.filedata.exe.415058.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.1.filedata.exe.415058.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.1.filedata.exe.415058.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.filedata.exe.3943e92.20.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x2e61b:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost 0x2e658:$x2: IClientNetworkHost
5.2.filedata.exe.3943e92.20.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x2e61b:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x31a6e:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost 0x2e645:$s5: IClientLoggingHost
5.2.filedata.exe.27b154c.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
5.2.filedata.exe.27b154c.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
11.2.chmac.exe.415058.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.chmac.exe.415058.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
11.2.chmac.exe.415058.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.chmac.exe.415058.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
8.0.chmac.exe.400000.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.0.chmac.exe.400000.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
8.0.chmac.exe.400000.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.0.chmac.exe.400000.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
5.2.filedata.exe.5420000.41.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
5.2.filedata.exe.5420000.41.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
8.0.chmac.exe.400000.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.0.chmac.exe.400000.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
8.0.chmac.exe.400000.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.0.chmac.exe.400000.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
8.2.chmac.exe.369547d.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c60:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c8d:$x2: IClientNetworkHost
8.2.chmac.exe.369547d.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c60:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d3b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c7a:$s5: IClientLoggingHost
8.2.chmac.exe.369547d.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.chmac.exe.368c01e.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d0bf:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0ec:$x2: IClientNetworkHost
8.2.chmac.exe.368c01e.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d0bf:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e19a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0d9:$s5: IClientLoggingHost
8.2.chmac.exe.368c01e.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.chmac.exe.368c01e.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d075:$a: NanoCore 0x2d08a:$a: NanoCore 0x2d0bf:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce31:$b: ClientPlugin 0x2ce4c:$b: ClientPlugin
11.0.chmac.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x85e5:$x1: NanoCore.ClientPluginHost 0x8622:$x2: IClientNetworkHost 0xc155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.0.chmac.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x835d:$x1: NanoCore Client.exe 0x85e5:$x2: NanoCore.ClientPluginHost 0x9c1e:$s1: PluginCommand 0x9c12:$s2: FileCommand 0xaac3:$s3: PipeExists 0x1087a:$s4: PipeCreated 0x860f:$s5: IClientLoggingHost
11.0.chmac.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.0.chmac.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x834d:$a: NanoCore 0x835d:$a: NanoCore 0x8591:$a: NanoCore 0x85a5:$a: NanoCore 0x85e5:$a: NanoCore 0x83ac:$b: ClientPlugin 0x85ae:$b: ClientPlugin 0x85ee:$b: ClientPlugin 0x84d3:$c: ProjectData 0x8eda:$d: DESCrypto 0x108a6:$e: KeepAlive 0xe894:$g: LogClientMessage 0xaa8f:$i: get_Connected 0x9210:$j: #=q 0x9240:$j: #=q 0x925c:$j: #=q 0x928c:$j: #=q 0x92a8:$j: #=q 0x92c4:$j: #=q 0x92f4:$j: #=q 0x9310:$j: #=q
8.1.chmac.exe.415058.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.1.chmac.exe.415058.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
8.1.chmac.exe.415058.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.1.chmac.exe.415058.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.2.filedata.exe.4bb0000.30.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
5.2.filedata.exe.4bb0000.30.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
5.2.filedata.exe.53f0000.39.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3deb:$x1: NanoCore.ClientPluginHost 0x3f48:$x2: IClientNetworkHost
5.2.filedata.exe.53f0000.39.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3deb:$x2: NanoCore.ClientPluginHost 0x4d41:$s3: PipeExists 0x3fe1:$s4: PipeCreated 0x3e05:$s5: IClientLoggingHost
5.2.filedata.exe.53b0000.36.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
5.2.filedata.exe.53b0000.36.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
11.1.chmac.exe.415058.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.1.chmac.exe.415058.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
11.1.chmac.exe.415058.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.1.chmac.exe.415058.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.filedata.exe.2963f94.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14e35:$x1: NanoCore.ClientPluginHost 0x21ff7:$x1: NanoCore.ClientPluginHost 0x2be9f:$x1: NanoCore.ClientPluginHost 0x32fc4:$x1: NanoCore.ClientPluginHost 0x392a5:$x1: NanoCore.ClientPluginHost 0x4390b:$x1: NanoCore.ClientPluginHost 0x4dd8f:$x1: NanoCore.ClientPluginHost 0x58dc9:$x1: NanoCore.ClientPluginHost 0x64bc7:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e62:$x2: IClientNetworkHost 0x22030:$x2: IClientNetworkHost 0x2bed8:$x2: IClientNetworkHost 0x392de:$x2: IClientNetworkHost 0x43a68:$x2: IClientNetworkHost 0x4ddc8:$x2: IClientNetworkHost 0x58de3:$x2: IClientNetworkHost 0x64be1:$x2: IClientNetworkHost
5.2.filedata.exe.2963f94.11.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14e0f:$a: NanoCore 0x14e35:$a: NanoCore 0x14e91:$a: NanoCore 0x21d3f:$a: NanoCore 0x21d98:$a: NanoCore 0x21dcb:$a: NanoCore 0x21ff7:$a: NanoCore 0x22073:$a: NanoCore 0x2268c:$a: NanoCore 0x227d5:$a: NanoCore 0x22ca9:$a: NanoCore 0x22f90:$a: NanoCore 0x22fa7:$a: NanoCore 0x2be9f:$a: NanoCore 0x2bf1b:$a: NanoCore 0x2e7fe:$a: NanoCore 0x32fc4:$a: NanoCore 0x3300e:$a: NanoCore
11.0.chmac.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.0.chmac.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
11.0.chmac.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.0.chmac.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
5.0.filedata.exe.400000.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.filedata.exe.400000.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
5.0.filedata.exe.400000.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.filedata.exe.400000.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
5.2.filedata.exe.3948b31.21.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x2997c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost 0x299b9:$x2: IClientNetworkHost
5.2.filedata.exe.3948b31.21.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x2997c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x2cdcf:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost 0x299a6:$s5: IClientLoggingHost
5.2.filedata.exe.37e3c81.15.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x1507e:$x1: NanoCore.ClientPluginHost 0x287ec:$x1: NanoCore.ClientPluginHost 0x36426:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x15098:$x2: IClientNetworkHost 0x28819:$x2: IClientNetworkHost 0x36450:$x2: IClientNetworkHost
5.2.filedata.exe.37e3c81.15.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x1507e:$x2: NanoCore.ClientPluginHost 0x287ec:$x2: NanoCore.ClientPluginHost 0x36426:$x2: NanoCore.ClientPluginHost 0x1546a:$s3: PipeExists 0xc25f:$s4: PipeCreated 0x1533f:$s4: PipeCreated 0x298c7:$s4: PipeCreated 0x382d6:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x150b9:$s5: IClientLoggingHost 0x28806:$s5: IClientLoggingHost
5.2.filedata.exe.37e3c81.15.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.filedata.exe.37e3c81.15.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb13a:$a: NanoCore 0xb14f:$a: NanoCore 0xb184:$a: NanoCore 0x14fe8:$a: NanoCore 0x15041:$a: NanoCore 0x1507e:$a: NanoCore 0x150f7:$a: NanoCore 0x287a2:$a: NanoCore 0x287b7:$a: NanoCore 0x287ec:$a: NanoCore 0x36401:$a: NanoCore 0x36426:$a: NanoCore 0x3647f:$a: NanoCore 0xaef6:$b: ClientPlugin 0xaf11:$b: ClientPlugin 0xaf41:$b: ClientPlugin 0xb158:$b: ClientPlugin 0xb18d:$b: ClientPlugin 0x1504a:$b: ClientPlugin 0x15087:$b: ClientPlugin 0x15985:$b: ClientPlugin
5.2.filedata.exe.3a65f89.25.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
5.2.filedata.exe.3a65f89.25.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
11.2.chmac.exe.3860e54.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
11.2.chmac.exe.3860e54.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
11.2.chmac.exe.3860e54.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.chmac.exe.3690e54.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
8.2.chmac.exe.3690e54.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
8.2.chmac.exe.3690e54.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.filedata.exe.37df658.16.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
5.2.filedata.exe.37df658.16.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
5.2.filedata.exe.37df658.16.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.filedata.exe.393ac5e.22.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x2840f:$x1: NanoCore.ClientPluginHost 0x3784f:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost 0x28429:$x2: IClientNetworkHost 0x3788c:$x2: IClientNetworkHost
5.2.filedata.exe.393ac5e.22.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x2840f:$x2: NanoCore.ClientPluginHost 0x3784f:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x2b74c:$s4: PipeCreated 0x3aca2:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost 0x283fc:$s5: IClientLoggingHost 0x37879:$s5: IClientLoggingHost
5.2.filedata.exe.415058.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.filedata.exe.415058.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
5.2.filedata.exe.415058.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.filedata.exe.415058.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.0.filedata.exe.415058.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.filedata.exe.415058.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
5.0.filedata.exe.415058.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.filedata.exe.415058.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
8.2.chmac.exe.47c0000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.2.chmac.exe.47c0000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
8.2.chmac.exe.47c0000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.chmac.exe.47c0000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.2.filedata.exe.37a3248.13.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
5.2.filedata.exe.37a3248.13.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
8.2.chmac.exe.6347a8.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.2.chmac.exe.6347a8.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
8.2.chmac.exe.6347a8.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.chmac.exe.6347a8.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.filedata.exe.4a30000.29.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
5.2.filedata.exe.4a30000.29.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
11.2.chmac.exe.385c01e.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d0bf:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0ec:$x2: IClientNetworkHost
11.2.chmac.exe.385c01e.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d0bf:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e19a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0d9:$s5: IClientLoggingHost
11.2.chmac.exe.385c01e.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.chmac.exe.385c01e.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d075:$a: NanoCore 0x2d08a:$a: NanoCore 0x2d0bf:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce31:$b: ClientPlugin 0x2ce4c:$b: ClientPlugin
5.2.filedata.exe.53e0000.38.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
5.2.filedata.exe.53e0000.38.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
11.0.chmac.exe.400000.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.0.chmac.exe.400000.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
11.0.chmac.exe.400000.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.0.chmac.exe.400000.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
11.2.chmac.exe.37e3258.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.chmac.exe.37e3258.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
11.2.chmac.exe.37e3258.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.chmac.exe.37e3258.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
7.2.chmac.exe.32c0000.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.chmac.exe.32c0000.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
7.2.chmac.exe.32c0000.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.chmac.exe.32c0000.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
5.0.filedata.exe.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.filedata.exe.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
5.0.filedata.exe.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.filedata.exe.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
7.2.chmac.exe.32c0000.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d9e5:$x1: NanoCore.ClientPluginHost 0x1da22:$x2: IClientNetworkHost 0x21555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.chmac.exe.32c0000.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d75d:$x1: NanoCore Client.exe 0x1d9e5:$x2: NanoCore.ClientPluginHost 0x1f01e:$s1: PluginCommand 0x1f012:$s2: FileCommand 0x1fec3:$s3: PipeExists 0x25c7a:$s4: PipeCreated 0x1da0f:$s5: IClientLoggingHost
7.2.chmac.exe.32c0000.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.chmac.exe.32c0000.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1d74d:$a: NanoCore 0x1d75d:$a: NanoCore 0x1d991:$a: NanoCore 0x1d9a5:$a: NanoCore 0x1d9e5:$a: NanoCore 0x1d7ac:$b: ClientPlugin 0x1d9ae:$b: ClientPlugin 0x1d9ee:$b: ClientPlugin 0x1d8d3:$c: ProjectData 0x1e2da:$d: DESCrypto 0x25ca6:$e: KeepAlive 0x23c94:$g: LogClientMessage 0x1fe8f:$i: get_Connected 0x1e610:$j: #=q 0x1e640:$j: #=q 0x1e65c:$j: #=q 0x1e68c:$j: #=q 0x1e6a8:$j: #=q 0x1e6c4:$j: #=q 0x1e6f4:$j: #=q 0x1e710:$j: #=q
8.0.chmac.exe.415058.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.0.chmac.exe.415058.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
8.0.chmac.exe.415058.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.0.chmac.exe.415058.9.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
11.2.chmac.exe.386547d.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c60:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c8d:$x2: IClientNetworkHost
11.2.chmac.exe.386547d.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c60:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d3b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c7a:$s5: IClientLoggingHost
11.2.chmac.exe.386547d.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.filedata.exe.400000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.filedata.exe.400000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
5.0.filedata.exe.400000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.filedata.exe.400000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
5.2.filedata.exe.53d0000.37.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
5.2.filedata.exe.53d0000.37.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
5.2.filedata.exe.5420000.41.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost
5.2.filedata.exe.5420000.41.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost
5.2.filedata.exe.5440000.42.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
5.2.filedata.exe.5440000.42.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
5.2.filedata.exe.53b0000.36.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3f0b:$x1: NanoCore.ClientPluginHost 0x3f44:$x2: IClientNetworkHost
5.2.filedata.exe.53b0000.36.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3f0b:$x2: NanoCore.ClientPluginHost 0x400f:$s4: PipeCreated 0x3f25:$s5: IClientLoggingHost
7.2.chmac.exe.32d1458.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.chmac.exe.32d1458.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
7.2.chmac.exe.32d1458.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.chmac.exe.32d1458.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.2.filedata.exe.5440000.42.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
5.2.filedata.exe.5440000.42.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
5.0.filedata.exe.415058.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.filedata.exe.415058.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.0.filedata.exe.415058.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.filedata.exe.415058.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.filedata.exe.5480000.46.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
5.2.filedata.exe.5480000.46.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x41ee:$x2: NanoCore.ClientPluginHost 0x7641:$s4: PipeCreated 0x4218:$s5: IClientLoggingHost
5.2.filedata.exe.2970224.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
5.2.filedata.exe.2970224.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
5.2.filedata.exe.23f0000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.filedata.exe.23f0000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.2.filedata.exe.23f0000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.filedata.exe.23f0000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.filedata.exe.3a721bd.24.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d10:$x1: NanoCore.ClientPluginHost 0x1fb64:$x1: NanoCore.ClientPluginHost 0x26c31:$x1: NanoCore.ClientPluginHost 0x2cebc:$x1: NanoCore.ClientPluginHost 0x374cd:$x1: NanoCore.ClientPluginHost 0x418fa:$x1: NanoCore.ClientPluginHost 0x4c8d9:$x1: NanoCore.ClientPluginHost 0x5867d:$x1: NanoCore.ClientPluginHost 0x7d583:$x1: NanoCore.ClientPluginHost 0x8c9c5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d49:$x2: IClientNetworkHost 0x1fb9d:$x2: IClientNetworkHost 0x2cef5:$x2: IClientNetworkHost 0x3762a:$x2: IClientNetworkHost 0x41933:$x2: IClientNetworkHost 0x4c8f3:$x2: IClientNetworkHost 0x58697:$x2: IClientNetworkHost 0x7d59d:$x2: IClientNetworkHost 0x8ca02:$x2: IClientNetworkHost
5.2.filedata.exe.3a721bd.24.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a58:$a: NanoCore 0x15ab1:$a: NanoCore 0x15ae4:$a: NanoCore 0x15d10:$a: NanoCore 0x15d8c:$a: NanoCore 0x163a5:$a: NanoCore 0x164ee:$a: NanoCore 0x169c2:$a: NanoCore 0x16ca9:$a: NanoCore 0x16cc0:$a: NanoCore 0x1fb64:$a: NanoCore 0x1fbe0:$a: NanoCore 0x224c3:$a: NanoCore 0x25875:$a: NanoCore 0x26c31:$a: NanoCore 0x26c7b:$a: NanoCore 0x278d5:$a: NanoCore 0x2cebc:$a: NanoCore
5.0.filedata.exe.415058.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.filedata.exe.415058.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
5.0.filedata.exe.415058.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.filedata.exe.415058.9.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
11.0.chmac.exe.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.0.chmac.exe.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
11.0.chmac.exe.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.0.chmac.exe.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
5.2.filedata.exe.2830c24.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d4b:$x1: NanoCore.ClientPluginHost 0x1fbd7:$x1: NanoCore.ClientPluginHost 0x26ce0:$x1: NanoCore.ClientPluginHost 0x2cfa5:$x1: NanoCore.ClientPluginHost 0x375ef:$x1: NanoCore.ClientPluginHost 0x41a57:$x1: NanoCore.ClientPluginHost 0x4ca75:$x1: NanoCore.ClientPluginHost 0x58857:$x1: NanoCore.ClientPluginHost 0x6461e:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d84:$x2: IClientNetworkHost 0x1fc10:$x2: IClientNetworkHost 0x2cfde:$x2: IClientNetworkHost 0x3774c:$x2: IClientNetworkHost 0x41a90:$x2: IClientNetworkHost 0x4ca8f:$x2: IClientNetworkHost 0x58871:$x2: IClientNetworkHost 0x6465b:$x2: IClientNetworkHost
5.2.filedata.exe.2830c24.8.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a93:$a: NanoCore 0x15aec:$a: NanoCore 0x15b1f:$a: NanoCore 0x15d4b:$a: NanoCore 0x15dc7:$a: NanoCore 0x163e0:$a: NanoCore 0x16529:$a: NanoCore 0x169fd:$a: NanoCore 0x16ce4:$a: NanoCore 0x16cfb:$a: NanoCore 0x1fbd7:$a: NanoCore 0x1fc53:$a: NanoCore 0x22536:$a: NanoCore 0x26ce0:$a: NanoCore 0x26d2a:$a: NanoCore 0x27984:$a: NanoCore 0x2cfa5:$a: NanoCore 0x2d01f:$a: NanoCore
5.2.filedata.exe.2963f94.11.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
5.2.filedata.exe.2963f94.11.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
11.2.chmac.exe.6d7f68.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.chmac.exe.6d7f68.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
11.2.chmac.exe.6d7f68.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.chmac.exe.6d7f68.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.0.filedata.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x85e5:$x1: NanoCore.ClientPluginHost 0x8622:$x2: IClientNetworkHost 0xc155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.filedata.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x835d:$x1: NanoCore Client.exe 0x85e5:$x2: NanoCore.ClientPluginHost 0x9c1e:$s1: PluginCommand 0x9c12:$s2: FileCommand 0xaac3:$s3: PipeExists 0x1087a:$s4: PipeCreated 0x860f:$s5: IClientLoggingHost
5.0.filedata.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.filedata.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x834d:$a: NanoCore 0x835d:$a: NanoCore 0x8591:$a: NanoCore 0x85a5:$a: NanoCore 0x85e5:$a: NanoCore 0x83ac:$b: ClientPlugin 0x85ae:$b: ClientPlugin 0x85ee:$b: ClientPlugin 0x84d3:$c: ProjectData 0x8eda:$d: DESCrypto 0x108a6:$e: KeepAlive 0xe894:$g: LogClientMessage 0xaa8f:$i: get_Connected 0x9210:$j: #=q 0x9240:$j: #=q 0x925c:$j: #=q 0x928c:$j: #=q 0x92a8:$j: #=q 0x92c4:$j: #=q 0x92f4:$j: #=q 0x9310:$j: #=q
11.0.chmac.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.0.chmac.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
11.0.chmac.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.0.chmac.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
11.2.chmac.exe.4960000.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.chmac.exe.4960000.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
11.2.chmac.exe.4960000.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.chmac.exe.4960000.9.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.filedata.exe.4bc0000.32.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
5.2.filedata.exe.4bc0000.32.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
5.2.filedata.exe.4bc0000.32.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.filedata.exe.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.filedata.exe.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
5.0.filedata.exe.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.filedata.exe.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
5.2.filedata.exe.5400000.40.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
5.2.filedata.exe.5400000.40.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
5.2.filedata.exe.400000.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.filedata.exe.400000.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x24f5d:$x1: NanoCore Client.exe 0x251e5:$x2: NanoCore.ClientPluginHost 0x2681e:$s1: PluginCommand 0x26812:$s2: FileCommand 0x276c3:$s3: PipeExists 0x2d47a:$s4: PipeCreated 0x2520f:$s5: IClientLoggingHost
5.2.filedata.exe.400000.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.filedata.exe.400000.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
5.2.filedata.exe.28249b0.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
5.2.filedata.exe.28249b0.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
5.2.filedata.exe.5450000.43.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
5.2.filedata.exe.5450000.43.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
8.2.chmac.exe.2636888.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
8.2.chmac.exe.2636888.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
9.2.chmac.exe.3191458.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
9.2.chmac.exe.3191458.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
9.2.chmac.exe.3191458.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.chmac.exe.3191458.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.2.filedata.exe.393ac5e.22.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
5.2.filedata.exe.393ac5e.22.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
8.0.chmac.exe.415058.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.0.chmac.exe.415058.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
8.0.chmac.exe.415058.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.0.chmac.exe.415058.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
9.2.chmac.exe.3191458.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
9.2.chmac.exe.3191458.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
9.2.chmac.exe.3191458.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.chmac.exe.3191458.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.filedata.exe.3b664a0.28.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
5.2.filedata.exe.3b664a0.28.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
5.2.filedata.exe.3b664a0.28.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.0.chmac.exe.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.0.chmac.exe.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
11.0.chmac.exe.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.0.chmac.exe.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
5.2.filedata.exe.3a65f89.25.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14dd9:$x1: NanoCore.ClientPluginHost 0x21f44:$x1: NanoCore.ClientPluginHost 0x2bd98:$x1: NanoCore.ClientPluginHost 0x32e65:$x1: NanoCore.ClientPluginHost 0x390f0:$x1: NanoCore.ClientPluginHost 0x43701:$x1: NanoCore.ClientPluginHost 0x4db2e:$x1: NanoCore.ClientPluginHost 0x58b0d:$x1: NanoCore.ClientPluginHost 0x648b1:$x1: NanoCore.ClientPluginHost 0x897b7:$x1: NanoCore.ClientPluginHost 0x98bf9:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e06:$x2: IClientNetworkHost 0x21f7d:$x2: IClientNetworkHost 0x2bdd1:$x2: IClientNetworkHost 0x39129:$x2: IClientNetworkHost 0x4385e:$x2: IClientNetworkHost 0x4db67:$x2: IClientNetworkHost 0x58b27:$x2: IClientNetworkHost 0x648cb:$x2: IClientNetworkHost
5.2.filedata.exe.3a65f89.25.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14db3:$a: NanoCore 0x14dd9:$a: NanoCore 0x14e35:$a: NanoCore 0x21c8c:$a: NanoCore 0x21ce5:$a: NanoCore 0x21d18:$a: NanoCore 0x21f44:$a: NanoCore 0x21fc0:$a: NanoCore 0x225d9:$a: NanoCore 0x22722:$a: NanoCore 0x22bf6:$a: NanoCore 0x22edd:$a: NanoCore 0x22ef4:$a: NanoCore 0x2bd98:$a: NanoCore 0x2be14:$a: NanoCore 0x2e6f7:$a: NanoCore 0x31aa9:$a: NanoCore 0x32e65:$a: NanoCore
5.2.filedata.exe.23b0000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.filedata.exe.23b0000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
5.2.filedata.exe.23b0000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.filedata.exe.23b0000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.2.filedata.exe.4a30000.29.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
5.2.filedata.exe.4a30000.29.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
5.2.filedata.exe.624448.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.filedata.exe.624448.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
5.2.filedata.exe.624448.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.filedata.exe.624448.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.2.filedata.exe.37a7ee7.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
5.2.filedata.exe.37a7ee7.12.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
5.2.filedata.exe.5370000.34.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
5.2.filedata.exe.5370000.34.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
5.2.filedata.exe.3943e92.20.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
5.2.filedata.exe.3943e92.20.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
8.2.chmac.exe.400000.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.2.chmac.exe.400000.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x24f5d:$x1: NanoCore Client.exe 0x251e5:$x2: NanoCore.ClientPluginHost 0x2681e:$s1: PluginCommand 0x26812:$s2: FileCommand 0x276c3:$s3: PipeExists 0x2d47a:$s4: PipeCreated 0x2520f:$s5: IClientLoggingHost
8.2.chmac.exe.400000.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.chmac.exe.400000.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
5.2.filedata.exe.5390000.35.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
5.2.filedata.exe.5390000.35.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
5.1.filedata.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.1.filedata.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
5.1.filedata.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.1.filedata.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
1.2.filedata.exe.23a0000.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.filedata.exe.23a0000.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
1.2.filedata.exe.23a0000.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.filedata.exe.23a0000.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
5.2.filedata.exe.3b6166a.27.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost
5.2.filedata.exe.3b6166a.27.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost
5.2.filedata.exe.3b6166a.27.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.filedata.exe.3b6166a.27.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x144cd:$c: ProjectData 0x12c9:$g: LogClientMessage 0x1249:$i: get_Connected 0x14e1c:$j: #=q 0x14e4c:$j: #=q
11.2.chmac.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.chmac.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
11.2.chmac.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.chmac.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
11.0.chmac.exe.415058.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.0.chmac.exe.415058.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
11.0.chmac.exe.415058.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.0.chmac.exe.415058.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
8.0.chmac.exe.400000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.0.chmac.exe.400000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
8.0.chmac.exe.400000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.0.chmac.exe.400000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
5.2.filedata.exe.624448.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.filedata.exe.624448.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.2.filedata.exe.624448.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.filedata.exe.624448.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42398:$b: ClientPlugin 0x4c4d6:$b: ClientPlugin 0x510b8:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q
8.2.chmac.exe.6347a8.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.2.chmac.exe.6347a8.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
8.2.chmac.exe.6347a8.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.chmac.exe.6347a8.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
Click to see the 526 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\filedata.exe, ProcessId: 6220, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\filedata.exe, ProcessId: 6220, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\filedata.exe, ProcessId: 6220, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\filedata.exe, ProcessId: 6220, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 5.2.filedata.exe.383df59.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.4bc0000.32.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.3b6aac9.26.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.3613258.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.37e3258.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.47c0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.3690e54.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.filedata.exe.23b1458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.chmac.exe.3180000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.6d7f68.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.4810000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.chmac.exe.32d1458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.filedata.exe.23a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.4bc4629.31.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.3839930.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.4920000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.4920000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.37da822.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.3839930.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.chmac.exe.3180000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.23b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.3613258.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.37df658.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.3860e54.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.filedata.exe.23b1458.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.filedata.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.3b664a0.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.369547d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.368c01e.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.37e3c81.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.3860e54.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.3690e54.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.37df658.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.47c0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.6347a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.385c01e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.37e3258.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.chmac.exe.32c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.chmac.exe.32c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.386547d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.chmac.exe.32d1458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.23f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.6d7f68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.4960000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.4bc0000.32.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.chmac.exe.3191458.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.chmac.exe.3191458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.3b664a0.28.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.23b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.624448.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.filedata.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.filedata.exe.23a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.3b6166a.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.624448.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.6347a8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.361160585.0000000004920000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.298557071.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.561118810.00000000023B0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.361229829.0000000004962000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.327164969.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.360739917.00000000006C4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.561439821.00000000027A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.297190479.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000001.343397650.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.360475057.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.330799074.00000000032C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.345221899.000000000364A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.561228467.00000000023F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.342661979.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.562570219.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.345524498.00000000047C0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000001.328667049.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.556140287.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.345668628.0000000004812000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.300538390.00000000023A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.345117243.0000000003611000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.344185437.0000000000627000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.562144773.00000000037D5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.361051688.000000000381A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.563083334.0000000004BC0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.343717430.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.299308522.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.341500174.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.562195683.0000000003832000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.325598662.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.345786625.0000000003180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.559328771.0000000000614000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.361014751.00000000037E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: filedata.exe PID: 6760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: filedata.exe PID: 6220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 2812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 4476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6968, type: MEMORYSTR

Source: 5.0.filedata.exe.400000.2.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.2.filedata.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.1.chmac.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.2.filedata.exe.4bc0000.32.unpack	Avira: Label: TR/NanoCore.fadte
Source: 11.0.chmac.exe.400000.2.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.2.chmac.exe.4810000.9.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.1.chmac.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.0.chmac.exe.400000.3.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.0.chmac.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.0.filedata.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.0.chmac.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.0.chmac.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.0.filedata.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.2.chmac.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.0.chmac.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.0.chmac.exe.400000.2.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.0.chmac.exe.400000.5.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.0.filedata.exe.400000.5.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.0.chmac.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.0.chmac.exe.400000.5.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.0.filedata.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.0.filedata.exe.400000.3.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.2.filedata.exe.23f0000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.0.chmac.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.0.chmac.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.2.chmac.exe.4960000.9.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.0.filedata.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.0.chmac.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.1.filedata.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.2.filedata.exe.3220000.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 11.2.chmac.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.0.chmac.exe.400000.3.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Unpacked PE file: 8.2.chmac.exe.4810000.9.unpack
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Unpacked PE file: 11.2.chmac.exe.4960000.9.unpack

Source: filedata.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\filedata.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source:	Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: filedata.exe, 00000005.00000002.561407999.0000000002457000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdb source: filedata.exe, 00000005.00000002.561407999.0000000002457000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: filedata.exe, 00000005.00000002.561407999.0000000002457000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: filedata.exe, 00000001.00000003.295655052.00000000036B0000.00000004.00000001.sdmp, filedata.exe, 00000001.00000003.295324951.0000000003520000.00000004.00000001.sdmp, chmac.exe, 00000007.00000003.324632058.00000000034A0000.00000004.00000001.sdmp, chmac.exe, 00000007.00000003.323875140.0000000003310000.00000004.00000001.sdmp, chmac.exe, 00000009.00000003.339932076.00000000031E0000.00000004.00000001.sdmp, chmac.exe, 00000009.00000003.343022774.0000000003370000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: filedata.exe, 00000005.00000002.563438389.00000000053B0000.00000004.00020000.sdmp, filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: filedata.exe, 00000001.00000003.295655052.00000000036B0000.00000004.00000001.sdmp, filedata.exe, 00000001.00000003.295324951.0000000003520000.00000004.00000001.sdmp, chmac.exe, 00000007.00000003.324632058.00000000034A0000.00000004.00000001.sdmp, chmac.exe, 00000007.00000003.323875140.0000000003310000.00000004.00000001.sdmp, chmac.exe, 00000009.00000003.339932076.00000000031E0000.00000004.00000001.sdmp, chmac.exe, 00000009.00000003.343022774.0000000003370000.00000004.00000001.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: filedata.exe, 00000005.00000002.561407999.0000000002457000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\mscorlib.pdb source: filedata.exe, 00000005.00000002.561407999.0000000002457000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: filedata.exe, 00000005.00000002.563590904.00000000053D0000.00000004.00020000.sdmp, filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.563890986.0000000005400000.00000004.00020000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.563389843.0000000005390000.00000004.00020000.sdmp, filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.563764546.00000000053F0000.00000004.00020000.sdmp, filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: filedata.exe, 00000005.00000002.561407999.0000000002457000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: filedata.exe, 00000005.00000002.563662225.00000000053E0000.00000004.00020000.sdmp, filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_00405D7C FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_00402630 FindFirstFileA,
Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_00404A29 FindFirstFileExW,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 8_2_00404A29 FindFirstFileExW,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 8_1_00404A29 FindFirstFileExW,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_00405D7C FindFirstFileA,FindClose,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_00402630 FindFirstFileA,

Networking:

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: boyhome5100.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.3:49745 -> 194.5.98.28:5100

Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.563764546.00000000053F0000.00000004.00020000.sdmp, filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp	String found in binary or memory: http://google.com
Source: chmac.exe, chmac.exe, 00000009.00000002.343865229.0000000000409000.00000004.00020000.sdmp, chmac.exe, 00000009.00000000.325806188.0000000000409000.00000008.00020000.sdmp, chmac.exe, 0000000B.00000000.331021791.0000000000409000.00000008.00020000.sdmp, filedata.exe, chmac.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: filedata.exe, chmac.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: unknown

DNS traffic detected: queries for: boyhome5100.duckdns.org

Source: C:\Users\user\Desktop\filedata.exe

Code function: 5_2_04A22E42 WSARecv,

Source: filedata.exe, 00000001.00000002.300161005.00000000006FA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: filedata.exe, 00000005.00000002.562570219.0000000003B61000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

Source: C:\Users\user\Desktop\filedata.exe

Code function: 1_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 5.2.filedata.exe.383df59.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.4bc0000.32.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.3b6aac9.26.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.3613258.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.37e3258.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.47c0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.3690e54.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.filedata.exe.23b1458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.chmac.exe.3180000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.6d7f68.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.4810000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.chmac.exe.32d1458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.filedata.exe.23a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.4bc4629.31.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.3839930.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.4920000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.4920000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.37da822.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.3839930.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.chmac.exe.3180000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.23b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.3613258.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.37df658.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.3860e54.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.filedata.exe.23b1458.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.filedata.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.3b664a0.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.369547d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.368c01e.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.37e3c81.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.3860e54.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.3690e54.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.37df658.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.47c0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.6347a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.385c01e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.37e3258.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.chmac.exe.32c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.chmac.exe.32c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.386547d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.chmac.exe.32d1458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.23f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.6d7f68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.4960000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.4bc0000.32.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.chmac.exe.3191458.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.chmac.exe.3191458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.3b664a0.28.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.23b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.624448.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.filedata.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.filedata.exe.23a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.3b6166a.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.624448.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.6347a8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.361160585.0000000004920000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.298557071.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.561118810.00000000023B0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.361229829.0000000004962000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.327164969.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.360739917.00000000006C4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.561439821.00000000027A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.297190479.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000001.343397650.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.360475057.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.330799074.00000000032C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.345221899.000000000364A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.561228467.00000000023F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.342661979.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.562570219.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.345524498.00000000047C0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000001.328667049.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.556140287.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.345668628.0000000004812000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.300538390.00000000023A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.345117243.0000000003611000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.344185437.0000000000627000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.562144773.00000000037D5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.361051688.000000000381A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.563083334.0000000004BC0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.343717430.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.299308522.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.341500174.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.562195683.0000000003832000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.325598662.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.345786625.0000000003180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.559328771.0000000000614000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.361014751.00000000037E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: filedata.exe PID: 6760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: filedata.exe PID: 6220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 2812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 4476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6968, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 5.2.filedata.exe.5370000.34.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.383df59.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.4bc0000.32.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.3b6aac9.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.5450000.43.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.53f0000.39.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.3613258.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.3613258.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.chmac.exe.37e3258.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.chmac.exe.37e3258.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.chmac.exe.47c0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.47c0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.chmac.exe.3690e54.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.filedata.exe.23b1458.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.filedata.exe.23b1458.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.2970224.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.2970224.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.filedata.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.filedata.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.chmac.exe.2806888.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.284528c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.284528c.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.37a3248.13.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.chmac.exe.3180000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.chmac.exe.3180000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.chmac.exe.6d7f68.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.chmac.exe.6d7f68.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.3a867ea.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.3a867ea.23.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.2830c24.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.4810000.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.4810000.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.chmac.exe.32d1458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.chmac.exe.32d1458.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.3a721bd.24.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.545e8a4.44.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.29848a8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.29848a8.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.5400000.40.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.filedata.exe.23a0000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.filedata.exe.23a0000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.chmac.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.chmac.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.5454c9f.45.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.4bc4629.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.28249b0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.28249b0.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.3839930.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.chmac.exe.4920000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.chmac.exe.4920000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.filedata.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.filedata.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.chmac.exe.4920000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.chmac.exe.4920000.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.filedata.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.filedata.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.37da822.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.37da822.17.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.53e0000.38.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.3839930.18.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.chmac.exe.3180000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.chmac.exe.3180000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.23b0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.23b0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.chmac.exe.3613258.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.3613258.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.37df658.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.37df658.16.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.chmac.exe.3860e54.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.filedata.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.filedata.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.filedata.exe.23b1458.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.filedata.exe.23b1458.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.37b1aec.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.5480000.46.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.1.filedata.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.1.filedata.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.3b664a0.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.1.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.1.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.3943e92.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.27b154c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.5420000.41.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.chmac.exe.369547d.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.368c01e.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.368c01e.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.4bb0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.53f0000.39.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.53b0000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.2963f94.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.2963f94.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.filedata.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.filedata.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.3948b31.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.37e3c81.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.37e3c81.15.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.3a65f89.25.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.chmac.exe.3860e54.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.3690e54.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.37df658.16.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.393ac5e.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.filedata.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.filedata.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.chmac.exe.47c0000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.47c0000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.37a3248.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.6347a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.6347a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.4a30000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.chmac.exe.385c01e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.chmac.exe.385c01e.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.53e0000.38.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.chmac.exe.37e3258.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.chmac.exe.37e3258.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.chmac.exe.32c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.chmac.exe.32c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.filedata.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.filedata.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.chmac.exe.32c0000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.chmac.exe.32c0000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.chmac.exe.386547d.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.filedata.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.filedata.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.53d0000.37.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.5420000.41.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.5440000.42.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.53b0000.36.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.chmac.exe.32d1458.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.chmac.exe.32d1458.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.5440000.42.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.filedata.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.filedata.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.5480000.46.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.2970224.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.23f0000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.23f0000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.3a721bd.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.3a721bd.24.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.filedata.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.filedata.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.2830c24.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.2830c24.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.2963f94.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.chmac.exe.6d7f68.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.chmac.exe.6d7f68.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.filedata.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.filedata.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.chmac.exe.4960000.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.chmac.exe.4960000.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.4bc0000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.filedata.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.filedata.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.5400000.40.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.28249b0.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.5450000.43.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.2636888.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.chmac.exe.3191458.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.chmac.exe.3191458.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.393ac5e.22.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.chmac.exe.3191458.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.chmac.exe.3191458.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.3b664a0.28.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.3a65f89.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.3a65f89.25.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.23b0000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.23b0000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.4a30000.29.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.624448.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.624448.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.37a7ee7.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.5370000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.3943e92.20.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.5390000.35.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.1.filedata.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.1.filedata.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.filedata.exe.23a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.filedata.exe.23a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.3b6166a.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.3b6166a.27.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.filedata.exe.624448.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.filedata.exe.624448.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.chmac.exe.6347a8.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.chmac.exe.6347a8.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.361160585.0000000004920000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.361160585.0000000004920000.00000004.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000000.298557071.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000000.298557071.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.561118810.00000000023B0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.561118810.00000000023B0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.563662225.00000000053E0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.361229829.0000000004962000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.361229829.0000000004962000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000000.327164969.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000000.327164969.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.360739917.00000000006C4000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.360739917.00000000006C4000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.564073879.0000000005420000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000000.297190479.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000000.297190479.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.562912360.0000000004A30000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000001.343397650.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000001.343397650.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.360475057.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.360475057.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.563590904.00000000053D0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.330799074.00000000032C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.330799074.00000000032C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.563438389.00000000053B0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.345221899.000000000364A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.561228467.00000000023F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.561228467.00000000023F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000000.342661979.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000000.342661979.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.562570219.0000000003B61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.345524498.00000000047C0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.345524498.00000000047C0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000001.328667049.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000001.328667049.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.556140287.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.556140287.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.564478287.0000000005480000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.345668628.0000000004812000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.345668628.0000000004812000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.300538390.00000000023A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.300538390.00000000023A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.345117243.0000000003611000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.345117243.0000000003611000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.564299116.0000000005450000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.563389843.0000000005390000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.344185437.0000000000627000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.344185437.0000000000627000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.345062402.000000000261E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.562144773.00000000037D5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.361051688.000000000381A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.563083334.0000000004BC0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.343717430.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.343717430.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.563764546.00000000053F0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.563059058.0000000004BB0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000001.299308522.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000001.299308522.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000000.341500174.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000000.341500174.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000000.325598662.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000000.325598662.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.345786625.0000000003180000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.345786625.0000000003180000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.559328771.0000000000614000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.559328771.0000000000614000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.563366604.0000000005370000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.360974701.00000000027EE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.361014751.00000000037E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.361014751.00000000037E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.563890986.0000000005400000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.564263969.0000000005440000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: filedata.exe PID: 6760, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: filedata.exe PID: 6760, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: filedata.exe PID: 6220, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: filedata.exe PID: 6220, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: chmac.exe PID: 2812, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: chmac.exe PID: 2812, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: chmac.exe PID: 6352, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: chmac.exe PID: 6352, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: chmac.exe PID: 4476, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: chmac.exe PID: 4476, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: chmac.exe PID: 6968, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: chmac.exe PID: 6968, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: filedata.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 5.2.filedata.exe.5370000.34.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.5370000.34.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.383df59.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.383df59.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.4bc0000.32.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.4bc0000.32.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.3b6aac9.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.3b6aac9.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.5450000.43.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.5450000.43.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.53f0000.39.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.53f0000.39.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.3613258.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.chmac.exe.3613258.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.3613258.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.chmac.exe.37e3258.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.chmac.exe.37e3258.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.chmac.exe.37e3258.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.chmac.exe.47c0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.chmac.exe.47c0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.47c0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.chmac.exe.3690e54.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.chmac.exe.3690e54.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.filedata.exe.23b1458.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.filedata.exe.23b1458.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.filedata.exe.23b1458.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.2970224.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.2970224.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.2970224.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.0.filedata.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.filedata.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.filedata.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.chmac.exe.2806888.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.chmac.exe.2806888.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.284528c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.284528c.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.37a3248.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.37a3248.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.chmac.exe.3180000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.chmac.exe.3180000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.chmac.exe.3180000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.chmac.exe.6d7f68.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.chmac.exe.6d7f68.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.chmac.exe.6d7f68.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.3a867ea.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.3a867ea.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.3a867ea.23.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.2830c24.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.2830c24.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.4810000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.chmac.exe.4810000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.4810000.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.chmac.exe.32d1458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.chmac.exe.32d1458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.chmac.exe.32d1458.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.3a721bd.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.3a721bd.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.545e8a4.44.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.545e8a4.44.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.29848a8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.29848a8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.29848a8.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.5400000.40.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.5400000.40.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.filedata.exe.23a0000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.filedata.exe.23a0000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.filedata.exe.23a0000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.chmac.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.chmac.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.chmac.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.5454c9f.45.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.5454c9f.45.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.4bc4629.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.4bc4629.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.28249b0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.28249b0.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.3839930.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.3839930.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.chmac.exe.4920000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.chmac.exe.4920000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.chmac.exe.4920000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.0.filedata.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.filedata.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.filedata.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.chmac.exe.4920000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.chmac.exe.4920000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.chmac.exe.4920000.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.0.filedata.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.filedata.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.filedata.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.37da822.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.37da822.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.37da822.17.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.53e0000.38.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.53e0000.38.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.3839930.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.3839930.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.chmac.exe.3180000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.chmac.exe.3180000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.chmac.exe.3180000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.23b0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.23b0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.23b0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.chmac.exe.3613258.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.chmac.exe.3613258.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.3613258.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.37df658.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.37df658.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.37df658.16.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.chmac.exe.3860e54.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.chmac.exe.3860e54.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.filedata.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.filedata.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.filedata.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.filedata.exe.23b1458.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.filedata.exe.23b1458.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.filedata.exe.23b1458.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.37b1aec.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.37b1aec.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.5480000.46.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.5480000.46.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.1.filedata.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.1.filedata.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.1.filedata.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.3b664a0.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.3b664a0.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.1.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.1.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.1.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.3943e92.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.3943e92.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.27b154c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.27b154c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.5420000.41.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.5420000.41.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.chmac.exe.369547d.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.chmac.exe.369547d.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.368c01e.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.chmac.exe.368c01e.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.368c01e.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.4bb0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.4bb0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.53f0000.39.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.53f0000.39.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.53b0000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.53b0000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.2963f94.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.2963f94.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.0.filedata.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.filedata.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.filedata.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.3948b31.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.3948b31.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.37e3c81.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.37e3c81.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.37e3c81.15.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.3a65f89.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.3a65f89.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.chmac.exe.3860e54.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.chmac.exe.3860e54.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.3690e54.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.chmac.exe.3690e54.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.37df658.16.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.37df658.16.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.393ac5e.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.393ac5e.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.0.filedata.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.filedata.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.filedata.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.chmac.exe.47c0000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.chmac.exe.47c0000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.47c0000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.37a3248.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.37a3248.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.6347a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.chmac.exe.6347a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.6347a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.4a30000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.4a30000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.chmac.exe.385c01e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.chmac.exe.385c01e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.chmac.exe.385c01e.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.53e0000.38.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.53e0000.38.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.chmac.exe.37e3258.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.chmac.exe.37e3258.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.chmac.exe.37e3258.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.chmac.exe.32c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.chmac.exe.32c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.chmac.exe.32c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.0.filedata.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.filedata.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.filedata.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.chmac.exe.32c0000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.chmac.exe.32c0000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.chmac.exe.32c0000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.chmac.exe.386547d.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.chmac.exe.386547d.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.filedata.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.filedata.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.filedata.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.53d0000.37.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.53d0000.37.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.5420000.41.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.5420000.41.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.5440000.42.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.5440000.42.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.53b0000.36.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.53b0000.36.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.chmac.exe.32d1458.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.chmac.exe.32d1458.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.chmac.exe.32d1458.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.5440000.42.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.5440000.42.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.filedata.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.filedata.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.filedata.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.5480000.46.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.5480000.46.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.2970224.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.2970224.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.23f0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.23f0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.23f0000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.3a721bd.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.3a721bd.24.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.0.filedata.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.filedata.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.filedata.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.2830c24.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.2830c24.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.2963f94.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.2963f94.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.chmac.exe.6d7f68.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.chmac.exe.6d7f68.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.chmac.exe.6d7f68.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.0.filedata.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.filedata.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.filedata.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.chmac.exe.4960000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.chmac.exe.4960000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.chmac.exe.4960000.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.4bc0000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.4bc0000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.filedata.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.filedata.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.filedata.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.5400000.40.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.5400000.40.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.28249b0.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.28249b0.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.5450000.43.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.5450000.43.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.2636888.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.chmac.exe.2636888.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.chmac.exe.3191458.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.chmac.exe.3191458.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.chmac.exe.3191458.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.393ac5e.22.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.393ac5e.22.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.chmac.exe.3191458.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.chmac.exe.3191458.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.chmac.exe.3191458.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.3b664a0.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.3b664a0.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.3a65f89.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.3a65f89.25.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.23b0000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.23b0000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.23b0000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.4a30000.29.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.4a30000.29.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.624448.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.624448.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.624448.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.37a7ee7.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.37a7ee7.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.5370000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.5370000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.3943e92.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.3943e92.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.5390000.35.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.5390000.35.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.1.filedata.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.1.filedata.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.1.filedata.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.filedata.exe.23a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.filedata.exe.23a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.filedata.exe.23a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.3b6166a.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.3b6166a.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.3b6166a.27.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.filedata.exe.624448.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.filedata.exe.624448.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.filedata.exe.624448.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.chmac.exe.6347a8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.chmac.exe.6347a8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chmac.exe.6347a8.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.361160585.0000000004920000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.361160585.0000000004920000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000B.00000002.361160585.0000000004920000.00000004.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000000.298557071.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000000.298557071.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.561118810.00000000023B0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.561118810.00000000023B0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000002.561118810.00000000023B0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.563662225.00000000053E0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.563662225.00000000053E0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000B.00000002.361229829.0000000004962000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.361229829.0000000004962000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000000.327164969.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000000.327164969.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.360739917.00000000006C4000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.360739917.00000000006C4000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.564073879.0000000005420000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.564073879.0000000005420000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000000.297190479.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000000.297190479.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.562912360.0000000004A30000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.562912360.0000000004A30000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000B.00000001.343397650.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000001.343397650.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.360475057.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.360475057.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000B.00000002.360475057.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.563590904.00000000053D0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.563590904.00000000053D0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.330799074.00000000032C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.330799074.00000000032C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.330799074.00000000032C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.563438389.00000000053B0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.563438389.00000000053B0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000002.345221899.000000000364A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.561228467.00000000023F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.561228467.00000000023F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000000.342661979.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000000.342661979.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.562570219.0000000003B61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.345524498.00000000047C0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.345524498.00000000047C0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000002.345524498.00000000047C0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000001.328667049.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000001.328667049.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.556140287.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.556140287.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000002.556140287.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.564478287.0000000005480000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.564478287.0000000005480000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000002.345668628.0000000004812000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.345668628.0000000004812000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.300538390.00000000023A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.300538390.00000000023A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.300538390.00000000023A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.345117243.0000000003611000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.345117243.0000000003611000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.564299116.0000000005450000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.564299116.0000000005450000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.563389843.0000000005390000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.563389843.0000000005390000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000002.344185437.0000000000627000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.344185437.0000000000627000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.345062402.000000000261E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.562144773.00000000037D5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.361051688.000000000381A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.563083334.0000000004BC0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.563083334.0000000004BC0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000002.343717430.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.343717430.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000002.343717430.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.563764546.00000000053F0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.563764546.00000000053F0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000002.563059058.0000000004BB0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.563059058.0000000004BB0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000001.299308522.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000001.299308522.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000000.341500174.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_0040604C
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_00404772
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDB8ED6
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDBBACD
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDBB0C1
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDB92C7
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDBAEFE
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDBB6F0
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDB76F5
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDBBA9D
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDB948D
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDBBC81
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDB9086
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDB7EBD
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDC8CB7
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDBB6B7
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDBAEB4
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDB68A9
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDB7AA5
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDB8A52
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDBAE57
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDB9068
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDB4E62
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDBAE10
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDB8E17
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDB9215
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDBB80F
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDBBC3D
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDB7A26
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDBB5DE
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDBB9D3
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDB87CB
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDBABCB
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDBC3CB
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDB61C1
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDB51C5
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDB1FE9
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDB93E2
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDBAFE5
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDBB59C
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDB9397
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDB75B9
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDB75B2
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDB8FB1
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDBADB5
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDB8D5D
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDB915C
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDB6770
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDB6576
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDB8774
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDBB966
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDBBB1B
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDB931C
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDBB10F
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDB1B00
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDB613A
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDBCD3F
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDBB13D
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDBBB3C
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDBB328
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDB8F22
Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_0040A2A5
Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_02107ABF
Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_048A3850
Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_048A8468
Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_048A9068
Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_048AAD38
Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_048A2FA8
Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_048A23A0
Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_048A306F
Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_048A912F
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB8ED6
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDBBACD
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDBB0C1
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB92C7
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDBAEFE
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDBB6F0
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDBBA9D
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB8A8A
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB948D
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDBBC81
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB9086
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB86BA
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDC8CB7
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDBB6B7
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDBAEB4
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB68A9
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDBAE57
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB9068
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB4E62
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDBAE10
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB8E17
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB9215
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDBB80F
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB8A3A
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDBBC3D
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB8629
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDBB5DE
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDBB9D3
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB8BD2
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDBABCB
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDBC3CB
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB61C1
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB51C5
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB87FC
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB1FE9
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB93E2
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDBAFE5
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB879F
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDBB59C
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB9397
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB8FB1
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDBADB5
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB895F
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB915C
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB6770
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB6576
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB876A
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB8D60
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB5F66
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDBB966
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDBBB1B
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB931C
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDBB10F
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB1B00
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB613A
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB873A
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDBCD3F
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDBB13D
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDBBB3C
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDBB328
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB8F22
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB8B27
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 8_2_0040A2A5
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 8_2_04882FA8
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 8_2_048823A0
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 8_2_04883850
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 8_2_0488306F
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 8_1_0040A2A5
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_0040604C
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_00404772
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAB68A9
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAB7AA5
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAB7EBD
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAC8CB7
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EABB6B7
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EABAEB4
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAB948D
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EABBC81
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAB9086
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EABBA9D
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EABAEFE
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EABB6F0
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAB76F5
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EABBACD
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EABB0C1
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAB92C7
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAB8ED6
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAB7A26
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EABBC3D
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EABB80F
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EABAE10
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAB8E17
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAB9215
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAB9068
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAB4E62
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAB8A52
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EABAE57
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAB75B9
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAB75B2
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAB8FB1
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EABADB5
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EABB59C
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAB9397
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAB1FE9
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAB93E2
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EABAFE5
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAB87CB
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EABABCB
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EABC3CB
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAB61C1
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAB51C5
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EABB5DE
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EABB9D3
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EABB328
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAB8F22
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAB613A
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EABB13D
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EABBB3C
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EABB10F
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAB1B00
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EABBB1B
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAB931C
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EABB966
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAB6770
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAB6576
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAB8774
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAB8D5D
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAB915C

Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: String function: 00401ED0 appears 46 times
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: String function: 0040569E appears 36 times

Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_04A218AA NtQuerySystemInformation,
Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_04A2186F NtQuerySystemInformation,

Source: filedata.exe, 00000001.00000003.291042942.0000000003636000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs filedata.exe
Source: filedata.exe, 00000001.00000003.293853805.00000000037CF000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs filedata.exe
Source: filedata.exe, 00000005.00000002.563662225.00000000053E0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs filedata.exe
Source: filedata.exe, 00000005.00000002.561439821.00000000027A1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.564073879.0000000005420000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562912360.0000000004A30000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs filedata.exe
Source: filedata.exe, 00000005.00000002.563438389.00000000053B0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.563590904.00000000053D0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.563110382.0000000004BE0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562570219.0000000003B61000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562570219.0000000003B61000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562570219.0000000003B61000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562269551.00000000038C7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562269551.00000000038C7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562269551.00000000038C7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562269551.00000000038C7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562269551.00000000038C7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562269551.00000000038C7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs filedata.exe
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs filedata.exe
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs filedata.exe
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs filedata.exe
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs filedata.exe
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.564478287.0000000005480000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562100157.00000000037A1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562100157.00000000037A1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562100157.00000000037A1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.564299116.0000000005450000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.564299116.0000000005450000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.564299116.0000000005450000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.563389843.0000000005390000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs filedata.exe
Source: filedata.exe, 00000005.00000002.562144773.00000000037D5000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562144773.00000000037D5000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562144773.00000000037D5000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562144773.00000000037D5000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs filedata.exe
Source: filedata.exe, 00000005.00000002.563083334.0000000004BC0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.563083334.0000000004BC0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.563764546.00000000053F0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs filedata.exe
Source: filedata.exe, 00000005.00000002.563059058.0000000004BB0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562195683.0000000003832000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562195683.0000000003832000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562195683.0000000003832000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs filedata.exe
Source: filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs filedata.exe
Source: filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs filedata.exe
Source: filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs filedata.exe
Source: filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs filedata.exe
Source: filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs filedata.exe
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs filedata.exe
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs filedata.exe
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs filedata.exe
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.563366604.0000000005370000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs filedata.exe
Source: filedata.exe, 00000005.00000002.563890986.0000000005400000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs filedata.exe
Source: filedata.exe, 00000005.00000002.564263969.0000000005440000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs filedata.exe

Source: filedata.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: chmac.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\filedata.exe

File read: C:\Users\user\Desktop\filedata.exe

Jump to behavior

Source: filedata.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\filedata.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\filedata.exe "C:\Users\user\Desktop\filedata.exe"
Source: C:\Users\user\Desktop\filedata.exe	Process created: C:\Users\user\Desktop\filedata.exe "C:\Users\user\Desktop\filedata.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe "C:\Users\user\AppData\Roaming\dihsw\chmac.exe"
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe "C:\Users\user\AppData\Roaming\dihsw\chmac.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe "C:\Users\user\AppData\Roaming\dihsw\chmac.exe"
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe "C:\Users\user\AppData\Roaming\dihsw\chmac.exe"
Source: C:\Users\user\Desktop\filedata.exe	Process created: C:\Users\user\Desktop\filedata.exe "C:\Users\user\Desktop\filedata.exe"
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe "C:\Users\user\AppData\Roaming\dihsw\chmac.exe"
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe "C:\Users\user\AppData\Roaming\dihsw\chmac.exe"

Source: C:\Users\user\Desktop\filedata.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_04A2166A AdjustTokenPrivileges,
Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_04A21633 AdjustTokenPrivileges,

Source: C:\Users\user\Desktop\filedata.exe

File created: C:\Users\user\AppData\Roaming\dihsw

Jump to behavior

Source: C:\Users\user\Desktop\filedata.exe

File created: C:\Users\user\AppData\Local\Temp\nsk5586.tmp

Jump to behavior

Source: classification engine

Classification label: mal96.troj.evad.winEXE@9/13@19/2

Source: C:\Users\user\Desktop\filedata.exe

Code function: 1_2_00402012 CoCreateInstance,MultiByteToWideChar,

Source: C:\Users\user\Desktop\filedata.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\filedata.exe

Code function: 1_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

Source: 11.2.chmac.exe.4960000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 11.2.chmac.exe.4960000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 8.2.chmac.exe.4810000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 8.2.chmac.exe.4810000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.2.filedata.exe.23f0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.2.filedata.exe.23f0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\filedata.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll

Source: C:\Users\user\Desktop\filedata.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\filedata.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{1f8684ca-0835-4252-89d1-4a2b1be1a69a}

Source: C:\Users\user\Desktop\filedata.exe

Code function: 5_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,

Source: 5.2.filedata.exe.23f0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.filedata.exe.23f0000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.filedata.exe.23f0000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.chmac.exe.4810000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 8.2.chmac.exe.4810000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.chmac.exe.4810000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.chmac.exe.4960000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 11.2.chmac.exe.4960000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 11.2.chmac.exe.4960000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\Desktop\filedata.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: C:\Users\user\Desktop\filedata.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source:	Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: filedata.exe, 00000005.00000002.561407999.0000000002457000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdb source: filedata.exe, 00000005.00000002.561407999.0000000002457000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: filedata.exe, 00000005.00000002.561407999.0000000002457000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: filedata.exe, 00000001.00000003.295655052.00000000036B0000.00000004.00000001.sdmp, filedata.exe, 00000001.00000003.295324951.0000000003520000.00000004.00000001.sdmp, chmac.exe, 00000007.00000003.324632058.00000000034A0000.00000004.00000001.sdmp, chmac.exe, 00000007.00000003.323875140.0000000003310000.00000004.00000001.sdmp, chmac.exe, 00000009.00000003.339932076.00000000031E0000.00000004.00000001.sdmp, chmac.exe, 00000009.00000003.343022774.0000000003370000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: filedata.exe, 00000005.00000002.563438389.00000000053B0000.00000004.00020000.sdmp, filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: filedata.exe, 00000001.00000003.295655052.00000000036B0000.00000004.00000001.sdmp, filedata.exe, 00000001.00000003.295324951.0000000003520000.00000004.00000001.sdmp, chmac.exe, 00000007.00000003.324632058.00000000034A0000.00000004.00000001.sdmp, chmac.exe, 00000007.00000003.323875140.0000000003310000.00000004.00000001.sdmp, chmac.exe, 00000009.00000003.339932076.00000000031E0000.00000004.00000001.sdmp, chmac.exe, 00000009.00000003.343022774.0000000003370000.00000004.00000001.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: filedata.exe, 00000005.00000002.561407999.0000000002457000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\mscorlib.pdb source: filedata.exe, 00000005.00000002.561407999.0000000002457000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: filedata.exe, 00000005.00000002.563590904.00000000053D0000.00000004.00020000.sdmp, filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.563890986.0000000005400000.00000004.00020000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.563389843.0000000005390000.00000004.00020000.sdmp, filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.563764546.00000000053F0000.00000004.00020000.sdmp, filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: filedata.exe, 00000005.00000002.561407999.0000000002457000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: filedata.exe, 00000005.00000002.563662225.00000000053E0000.00000004.00020000.sdmp, filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp

Data Obfuscation:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Unpacked PE file: 8.2.chmac.exe.4810000.9.unpack
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Unpacked PE file: 11.2.chmac.exe.4960000.9.unpack

.NET source code contains potential unpacker

Show sources

Source: 5.2.filedata.exe.23f0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.filedata.exe.23f0000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.chmac.exe.4810000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.chmac.exe.4810000.9.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.chmac.exe.4960000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.chmac.exe.4960000.9.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDB4EB2 pushad ; retf 0000h
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDBC254 pushfd ; retf
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_6EDB6FF5 pushfd ; iretd
Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_00401F16 push ecx; ret
Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_020E2E75 push edi; ret
Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_020E2685 push edi; ret
Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_020E2E81 push edi; ret
Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_020E26A8 push edi; ret
Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_020E30E4 push eax; ret
Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_020E30F9 push eax; ret
Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_020E316C push eax; ret
Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_020E2570 push ecx; ret
Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_020E25DD push eax; ret
Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_020E25D0 push ecx; ret
Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_020E2DFD push ecx; ret
Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_02109D2B pushad ; retf
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDB4EB2 pushad ; retf 0000h
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_6EDBC254 pushfd ; retf
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 8_2_00401F16 push ecx; ret
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 8_2_00912881 push edi; ret
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 8_2_009125D0 push ecx; ret
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 8_2_009125DD push eax; ret
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 8_2_00912DFD push ecx; ret
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 8_2_00912570 push ecx; ret
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 8_2_00912E81 push edi; ret
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 8_2_009126A8 push edi; ret
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 8_2_00912E75 push edi; ret
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 8_1_00401F16 push ecx; ret
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAB4EB2 pushad ; retf 0000h
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EABC254 pushfd ; retf
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_6EAB6FF5 pushfd ; iretd

Source: C:\Users\user\Desktop\filedata.exe

Code function: 1_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,

Source: 5.2.filedata.exe.23f0000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 5.2.filedata.exe.23f0000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 8.2.chmac.exe.4810000.9.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 8.2.chmac.exe.4810000.9.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 11.2.chmac.exe.4960000.9.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 11.2.chmac.exe.4960000.9.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	File created: C:\Users\user\AppData\Local\Temp\nsqA3A8.tmp\zihgjt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	File created: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\zihgjt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\filedata.exe	File created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Jump to dropped file
Source: C:\Users\user\Desktop\filedata.exe	File created: C:\Users\user\AppData\Local\Temp\nsf55B7.tmp\zihgjt.dll	Jump to dropped file

Source: C:\Users\user\Desktop\filedata.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kyvrnrwl			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kyvrnrwl			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\filedata.exe

File opened: C:\Users\user\Desktop\filedata.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\filedata.exe TID: 3560	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\Desktop\filedata.exe TID: 5668	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe TID: 3176	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe TID: 3952	Thread sleep count: 42 > 30
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe TID: 5676	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe TID: 5608	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe TID: 5672	Thread sleep count: 36 > 30
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe TID: 4404	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\filedata.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\filedata.exe	Window / User API: threadDelayed 354
Source: C:\Users\user\Desktop\filedata.exe	Window / User API: foregroundWindowGot 955

Source: C:\Users\user\Desktop\filedata.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\filedata.exe

Code function: 5_2_04A21392 GetSystemInfo,

Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_00405D7C FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_00402630 FindFirstFileA,
Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_00404A29 FindFirstFileExW,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 8_2_00404A29 FindFirstFileExW,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 8_1_00404A29 FindFirstFileExW,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_00405D7C FindFirstFileA,FindClose,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_00402630 FindFirstFileA,

Source: C:\Users\user\Desktop\filedata.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\filedata.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\filedata.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\filedata.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\filedata.exe

Code function: 5_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\filedata.exe

Code function: 1_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,

Source: C:\Users\user\Desktop\filedata.exe

Code function: 5_2_004067FE GetProcessHeap,

Source: C:\Users\user\Desktop\filedata.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_0019E23A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_0019E026 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_0019E2EB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_0019E32A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\filedata.exe	Code function: 1_2_0019E368 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_004035F1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_0019E23A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_0019E026 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_0019E2EB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_0019E32A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 7_2_0019E368 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 8_2_004035F1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 8_1_004035F1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_0019E23A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_0019E026 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_0019E2EB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_0019E32A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 9_2_0019E368 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\filedata.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_00401E1D SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 8_2_00401E1D SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 8_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 8_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 8_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 8_1_00401E1D SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 8_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 8_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 8_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\filedata.exe	Memory written: C:\Users\user\Desktop\filedata.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Memory written: C:\Users\user\AppData\Roaming\dihsw\chmac.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Memory written: C:\Users\user\AppData\Roaming\dihsw\chmac.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\filedata.exe	Process created: C:\Users\user\Desktop\filedata.exe "C:\Users\user\Desktop\filedata.exe"
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe "C:\Users\user\AppData\Roaming\dihsw\chmac.exe"
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe "C:\Users\user\AppData\Roaming\dihsw\chmac.exe"

Source: filedata.exe, 00000005.00000002.561811283.0000000002932000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.561781358.000000000292A000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.562041659.0000000002A2E000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.560079389.0000000000C70000.00000002.00020000.sdmp, filedata.exe, 00000005.00000002.562001826.0000000002A0E000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.562073524.0000000002A54000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.561991224.0000000002A07000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.561741862.0000000002910000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.561794584.000000000292D000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.561757899.000000000291A000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: filedata.exe, 00000005.00000002.560079389.0000000000C70000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: filedata.exe, 00000005.00000002.560079389.0000000000C70000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: filedata.exe, 00000005.00000002.561811283.0000000002932000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.562073524.0000000002A54000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.561757899.000000000291A000.00000004.00000001.sdmp	Binary or memory string: Program ManagerP
Source: filedata.exe, 00000005.00000002.561991224.0000000002A07000.00000004.00000001.sdmp	Binary or memory string: Program Managerp
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp	Binary or memory string: Program ManagerX
Source: filedata.exe, 00000005.00000002.560079389.0000000000C70000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\filedata.exe

Code function: 5_2_0040208D cpuid

Source: C:\Users\user\Desktop\filedata.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\filedata.exe

Code function: 5_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Source: C:\Users\user\Desktop\filedata.exe

Code function: 1_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

Source: C:\Users\user\Desktop\filedata.exe

Code function: 5_2_020EB0CA GetUserNameW,

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 5.2.filedata.exe.383df59.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.4bc0000.32.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.3b6aac9.26.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.3613258.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.37e3258.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.47c0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.3690e54.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.filedata.exe.23b1458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.chmac.exe.3180000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.6d7f68.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.4810000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.chmac.exe.32d1458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.filedata.exe.23a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.4bc4629.31.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.3839930.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.4920000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.4920000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.37da822.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.3839930.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.chmac.exe.3180000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.23b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.3613258.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.37df658.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.3860e54.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.filedata.exe.23b1458.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.filedata.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.3b664a0.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.369547d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.368c01e.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.37e3c81.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.3860e54.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.3690e54.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.37df658.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.47c0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.6347a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.385c01e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.37e3258.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.chmac.exe.32c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.chmac.exe.32c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.386547d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.chmac.exe.32d1458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.23f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.6d7f68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.4960000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.4bc0000.32.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.chmac.exe.3191458.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.chmac.exe.3191458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.3b664a0.28.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.23b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.624448.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.filedata.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.filedata.exe.23a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.3b6166a.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.624448.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.6347a8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.361160585.0000000004920000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.298557071.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.561118810.00000000023B0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.361229829.0000000004962000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.327164969.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.360739917.00000000006C4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.561439821.00000000027A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.297190479.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000001.343397650.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.360475057.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.330799074.00000000032C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.345221899.000000000364A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.561228467.00000000023F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.342661979.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.562570219.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.345524498.00000000047C0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000001.328667049.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.556140287.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.345668628.0000000004812000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.300538390.00000000023A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.345117243.0000000003611000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.344185437.0000000000627000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.562144773.00000000037D5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.361051688.000000000381A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.563083334.0000000004BC0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.343717430.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.299308522.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.341500174.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.562195683.0000000003832000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.325598662.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.345786625.0000000003180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.559328771.0000000000614000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.361014751.00000000037E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: filedata.exe PID: 6760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: filedata.exe PID: 6220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 2812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 4476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6968, type: MEMORYSTR

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: filedata.exe, 00000001.00000002.300538390.00000000023A0000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000000.298557071.0000000000414000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.561118810.00000000023B0000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.563662225.00000000053E0000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.563662225.00000000053E0000.00000004.00020000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: filedata.exe, 00000005.00000002.561439821.00000000027A1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.561439821.00000000027A1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: filedata.exe, 00000005.00000002.564073879.0000000005420000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.562912360.0000000004A30000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.563438389.00000000053B0000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.563590904.00000000053D0000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.563590904.00000000053D0000.00000004.00020000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: filedata.exe, 00000005.00000002.561228467.00000000023F2000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.562570219.0000000003B61000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.562570219.0000000003B61000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: filedata.exe, 00000005.00000002.556140287.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.562269551.00000000038C7000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: filedata.exe, 00000005.00000002.564478287.0000000005480000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.562100157.00000000037A1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.564299116.0000000005450000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.563389843.0000000005390000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.563389843.0000000005390000.00000004.00020000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: filedata.exe, 00000005.00000002.562144773.00000000037D5000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.562144773.00000000037D5000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: filedata.exe, 00000005.00000002.563083334.0000000004BC0000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.563764546.00000000053F0000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.563059058.0000000004BB0000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.563059058.0000000004BB0000.00000004.00020000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: filedata.exe, 00000005.00000002.562195683.0000000003832000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: filedata.exe, 00000005.00000002.563366604.0000000005370000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.563890986.0000000005400000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: filedata.exe, 00000005.00000002.563890986.0000000005400000.00000004.00020000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: filedata.exe, 00000005.00000002.564263969.0000000005440000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 00000007.00000002.330799074.00000000032C0000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 00000008.00000000.327164969.0000000000414000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 00000008.00000002.345221899.000000000364A000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 00000008.00000002.345221899.000000000364A000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: chmac.exe, 00000008.00000002.345524498.00000000047C0000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 00000008.00000002.345668628.0000000004812000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 00000008.00000002.345117243.0000000003611000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 00000008.00000002.344185437.0000000000627000.00000004.00000020.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 00000008.00000002.345062402.000000000261E000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 00000008.00000002.345062402.000000000261E000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: chmac.exe, 00000008.00000002.343717430.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 00000009.00000002.345786625.0000000003180000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 0000000B.00000002.361160585.0000000004920000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 0000000B.00000002.361229829.0000000004962000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 0000000B.00000002.360739917.00000000006C4000.00000004.00000020.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 0000000B.00000002.360475057.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 0000000B.00000001.343397650.0000000000414000.00000040.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 0000000B.00000002.361051688.000000000381A000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 0000000B.00000002.361051688.000000000381A000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: chmac.exe, 0000000B.00000002.360974701.00000000027EE000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 0000000B.00000002.360974701.00000000027EE000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: chmac.exe, 0000000B.00000002.361014751.00000000037E1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 5.2.filedata.exe.383df59.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.4bc0000.32.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.3b6aac9.26.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.3613258.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.37e3258.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.47c0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.3690e54.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.filedata.exe.23b1458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.chmac.exe.3180000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.6d7f68.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.4810000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.chmac.exe.32d1458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.filedata.exe.23a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.4bc4629.31.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.3839930.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.4920000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.4920000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.37da822.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.3839930.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.chmac.exe.3180000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.23b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.3613258.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.37df658.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.3860e54.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.filedata.exe.23b1458.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.filedata.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.3b664a0.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.filedata.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.369547d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.368c01e.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.37e3c81.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.3860e54.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.3690e54.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.37df658.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.47c0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.6347a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.385c01e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.37e3258.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.chmac.exe.32c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.chmac.exe.32c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.386547d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.chmac.exe.32d1458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.23f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.6d7f68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.4960000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.4bc0000.32.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.filedata.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.chmac.exe.3191458.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.chmac.exe.3191458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.3b664a0.28.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.23b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.624448.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.filedata.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.filedata.exe.23a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.3b6166a.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.filedata.exe.624448.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.chmac.exe.6347a8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.361160585.0000000004920000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.298557071.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.561118810.00000000023B0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.361229829.0000000004962000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.327164969.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.360739917.00000000006C4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.561439821.00000000027A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.297190479.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000001.343397650.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.360475057.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.330799074.00000000032C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.345221899.000000000364A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.561228467.00000000023F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.342661979.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.562570219.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.345524498.00000000047C0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000001.328667049.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.556140287.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.345668628.0000000004812000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.300538390.00000000023A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.345117243.0000000003611000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.344185437.0000000000627000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.562144773.00000000037D5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.361051688.000000000381A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.563083334.0000000004BC0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.343717430.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.299308522.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.341500174.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.562195683.0000000003832000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.325598662.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.345786625.0000000003180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.559328771.0000000000614000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.361014751.00000000037E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: filedata.exe PID: 6760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: filedata.exe PID: 6220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 2812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 4476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6968, type: MEMORYSTR

Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_04A22986 bind,
Source: C:\Users\user\Desktop\filedata.exe	Code function: 5_2_04A22934 bind,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Registry Run Keys / Startup Folder1	Access Token Manipulation1	Disable or Modify Tools1	Input Capture21	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection112	Deobfuscate/Decode Files or Information11	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Input Capture21	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Registry Run Keys / Startup Folder1	Obfuscated Files or Information2	Security Account Manager	File and Directory Discovery2	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing21	NTDS	System Information Discovery16	Distributed Component Object Model	Input Capture	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Security Software Discovery2	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol1	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion21	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol11	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Access Token Manipulation1	DCSync	Virtualization/Sandbox Evasion21	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection112	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Hidden Files and Directories1	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.0.filedata.exe.400000.2.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
5.2.filedata.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
11.1.chmac.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
5.2.filedata.exe.4bc0000.32.unpack	100%	Avira	TR/NanoCore.fadte	Download File
11.0.chmac.exe.400000.2.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
8.2.chmac.exe.4810000.9.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
8.1.chmac.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
11.0.chmac.exe.400000.3.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
8.0.chmac.exe.400000.6.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
5.0.filedata.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
8.0.chmac.exe.400000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
8.0.chmac.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
5.0.filedata.exe.400000.1.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
8.2.chmac.exe.400000.1.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
8.0.chmac.exe.400000.1.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
8.0.chmac.exe.400000.2.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
8.0.chmac.exe.400000.5.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
5.0.filedata.exe.400000.5.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
11.0.chmac.exe.400000.1.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
11.0.chmac.exe.400000.5.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
5.0.filedata.exe.400000.6.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
5.0.filedata.exe.400000.3.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
5.2.filedata.exe.23f0000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
11.0.chmac.exe.400000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
11.0.chmac.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
11.2.chmac.exe.4960000.9.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
5.0.filedata.exe.400000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
11.0.chmac.exe.400000.6.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
5.1.filedata.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
1.2.filedata.exe.3220000.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
11.2.chmac.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
8.0.chmac.exe.400000.3.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
boyhome5100.duckdns.org	194.5.98.28	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://nsis.sf.net/NSIS_Error	chmac.exe, chmac.exe, 00000009.00000002.343865229.0000000000409000.00000004.00020000.sdmp, chmac.exe, 00000009.00000000.325806188.0000000000409000.00000008.00020000.sdmp, chmac.exe, 0000000B.00000000.331021791.0000000000409000.00000008.00020000.sdmp, filedata.exe, chmac.exe.1.dr	false	high
http://nsis.sf.net/NSIS_ErrorError	filedata.exe, chmac.exe.1.dr	false	high
http://google.com	filedata.exe, 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.563764546.00000000053F0000.00000004.00020000.sdmp, filedata.exe, 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp, filedata.exe, 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp	false	high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.98.28	boyhome5100.duckdns.org	Netherlands		208476	DANILENKODE	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	552947
Start date:	13.01.2022
Start time:	23:28:59
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 37s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	filedata (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@9/13@19/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 29.1% (good quality ratio 26.8%) Quality average: 73.9% Quality standard deviation: 32.2%
HCA Information:	Successful, ratio: 90% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. TCP Packets have been reduced to 100 Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:29:55	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run kyvrnrwl C:\Users\user\AppData\Roaming\dihsw\chmac.exe
23:30:00	API Interceptor	944x Sleep call for process: filedata.exe modified
23:30:03	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run kyvrnrwl C:\Users\user\AppData\Roaming\dihsw\chmac.exe
23:30:05	API Interceptor	2x Sleep call for process: chmac.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chmac.exe.log Download File
Process:	C:\Users\user\AppData\Roaming\dihsw\chmac.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
MD5:	61CCF53571C9ABA6511D696CB0D32E45
SHA1:	A13A42A20EC14942F52DB20FB16A0A520F8183CE
SHA-256:	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
SHA-512:	90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
Malicious:	true
Reputation:	unknown
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Temp\671ojhadbggvsw Download File
Process:	C:\Users\user\Desktop\filedata.exe
File Type:	data
Category:	dropped
Size (bytes):	278527
Entropy (8bit):	7.987787031163242
Encrypted:	false
SSDEEP:	6144:JyjBoleNjaczUJPSzq5TmUoW6saM3urgNNbbHb1BCjyW9yRJt:JwCqeczMS+t2W606oZ5Y+t
MD5:	0037B7C03C75B524F1B5DA59BD0D97AF
SHA1:	A8162ADBB06CD85B408B19AAB1467344C0214EBC
SHA-256:	D08272389DCC58B662F32AA01F819E1B8C5C60FAC52224FB822123ABBB00D10E
SHA-512:	695B639051E2A4412515B160C61F718DA9436774658960A87C94E498C9A172B160DE11314E83239616203D95DA1B1BB2B92B5FE0D2A63A68CDBFC806673A8600
Malicious:	false
Reputation:	unknown
Preview:	/...+...F..+._d...6..%[$B..c.-.H..D}....P...N......I.>..dp.\|.~8.P..i.67..X.)8tU(J.T.R...~.G.?.R.=.lgO...e....T8.`,..Q3yM.J._/....<..vn.>...?..,......zn6b......oj...I?a..(..j..K...w;.A.PFa.....jF..s,.,........s......\........q...J."w..y..x.......5.,...r.+;._.....%[$...c+-...).D}0...FQ...N.q3...Y.>..dp.=,~6../..x.k`.M.9=...:.u....d.......t...({n./...........F.Z.3yM.J._...b#.+.HC.. ......>..M.<S.x.f.e...3...\.8.V.-.({..2.S....0..o..pBkx.%.Gtz@.b.\x;...Q.X.W......]...xX.q.n.#3...x......q..@...i..+}.d.O.6...[$...c.-.H..D..V...;.`N.<....^.>..dp.I.~6../..x..`.M`9=....I...t.~...2.......p../.........."..~C.'.J.._.....].@.C;.2......\..M.<..xM...^..3;b.\...V.4.(..[2.S....0..o..Bk..%.Gtz@..).\.;...Q.X.W..?...Q...xX.q.n.#3...x.......5.,.....+}.d.O.6..%[$...c.-.H..D}....P...N......I.>..dp.=.~6../..x..`.M.9=.s.n.u.....~......t...({../.............Z.3yM.J._...b#.@..C;. ......\..M.<S.x.f.e...3*...\.8.V.G.(...2.S....0..o..pBkx.%.Gtz@..).\.;...Q.X.W..?...Q..

C:\Users\user\AppData\Local\Temp\nsf55B6.tmp Download File
Process:	C:\Users\user\Desktop\filedata.exe
File Type:	data
Category:	dropped
Size (bytes):	509164
Entropy (8bit):	7.276677920260067
Encrypted:	false
SSDEEP:	12288:K1JwCqeczMS+t2W606oZ5Y+eHHGnCYFD6TG9pjni6v:KE1zcE+eHHGTACLv
MD5:	45C0D0E2E6C46774F79BC514DECDC37E
SHA1:	D2D3CAAFBE35107F7077D2122E9CFE6DD6353877
SHA-256:	FB58D337C61534E44945B4383FE380C86A20208114B34947C6FCD6E13348D0E8
SHA-512:	9269FC7A3D801884AF742252BF4829DE9DCBFB7A06CF4BE9DF86F0154F5BD9F2CEFE631C16C1652DF638942591E1C3016EE292C8C01637FFFC17CE9379D50910
Malicious:	false
Reputation:	unknown
Preview:	S_......,.......................DG......m^......;_..........................................................................................................................................................................................................................................J...................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsf55B7.tmp\zihgjt.dll Download File
Process:	C:\Users\user\Desktop\filedata.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	199168
Entropy (8bit):	5.818353923098329
Encrypted:	false
SSDEEP:	6144:sUtJEr7mQNzZ/vDXqxnfNahvFp1cck4X3rm6v:snCYFD6TG9pjni6v
MD5:	83A517CDC6B25A8B9EEE20AD2AD4885D
SHA1:	7108BB963BA45544F7B3138329CA56EEB8DE86CC
SHA-256:	1F2B96F19BBB393643B033507D0B824321CABFFD596F991443999097B1031179
SHA-512:	60BF20CF9C4262E74F2B506A1D5F02A2977E625139118C2E694A52264A6ED2E0B552FD2ACFDC9B2A842813F5E028B5AFC052202633397780CDCAE03721DE9396
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,...B...B...B.......B..C...B...C...B.a.F...B.a.B...B.d.....B.a.@...B.Rich..B.........PE..L...;G.a...........!.........................................................@............@.......................................... .......................0..x....................................................................................text...k........................... ..`.rdata..2...........................@..@.rsrc........ ......................@..@.reloc..x....0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsi8283.tmp Download File
Process:	C:\Users\user\AppData\Roaming\dihsw\chmac.exe
File Type:	data
Category:	dropped
Size (bytes):	509164
Entropy (8bit):	7.276677920260067
Encrypted:	false
SSDEEP:	12288:K1JwCqeczMS+t2W606oZ5Y+eHHGnCYFD6TG9pjni6v:KE1zcE+eHHGTACLv
MD5:	45C0D0E2E6C46774F79BC514DECDC37E
SHA1:	D2D3CAAFBE35107F7077D2122E9CFE6DD6353877
SHA-256:	FB58D337C61534E44945B4383FE380C86A20208114B34947C6FCD6E13348D0E8
SHA-512:	9269FC7A3D801884AF742252BF4829DE9DCBFB7A06CF4BE9DF86F0154F5BD9F2CEFE631C16C1652DF638942591E1C3016EE292C8C01637FFFC17CE9379D50910
Malicious:	false
Reputation:	unknown
Preview:	S_......,.......................DG......m^......;_..........................................................................................................................................................................................................................................J...................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsi8284.tmp\zihgjt.dll Download File
Process:	C:\Users\user\AppData\Roaming\dihsw\chmac.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	199168
Entropy (8bit):	5.818353923098329
Encrypted:	false
SSDEEP:	6144:sUtJEr7mQNzZ/vDXqxnfNahvFp1cck4X3rm6v:snCYFD6TG9pjni6v
MD5:	83A517CDC6B25A8B9EEE20AD2AD4885D
SHA1:	7108BB963BA45544F7B3138329CA56EEB8DE86CC
SHA-256:	1F2B96F19BBB393643B033507D0B824321CABFFD596F991443999097B1031179
SHA-512:	60BF20CF9C4262E74F2B506A1D5F02A2977E625139118C2E694A52264A6ED2E0B552FD2ACFDC9B2A842813F5E028B5AFC052202633397780CDCAE03721DE9396
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,...B...B...B.......B..C...B...C...B.a.F...B.a.B...B.d.....B.a.@...B.Rich..B.........PE..L...;G.a...........!.........................................................@............@.......................................... .......................0..x....................................................................................text...k........................... ..`.rdata..2...........................@..@.rsrc........ ......................@..@.reloc..x....0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsqA3A7.tmp Download File
Process:	C:\Users\user\AppData\Roaming\dihsw\chmac.exe
File Type:	data
Category:	dropped
Size (bytes):	509164
Entropy (8bit):	7.276677920260067
Encrypted:	false
SSDEEP:	12288:K1JwCqeczMS+t2W606oZ5Y+eHHGnCYFD6TG9pjni6v:KE1zcE+eHHGTACLv
MD5:	45C0D0E2E6C46774F79BC514DECDC37E
SHA1:	D2D3CAAFBE35107F7077D2122E9CFE6DD6353877
SHA-256:	FB58D337C61534E44945B4383FE380C86A20208114B34947C6FCD6E13348D0E8
SHA-512:	9269FC7A3D801884AF742252BF4829DE9DCBFB7A06CF4BE9DF86F0154F5BD9F2CEFE631C16C1652DF638942591E1C3016EE292C8C01637FFFC17CE9379D50910
Malicious:	false
Reputation:	unknown
Preview:	S_......,.......................DG......m^......;_..........................................................................................................................................................................................................................................J...................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsqA3A8.tmp\zihgjt.dll Download File
Process:	C:\Users\user\AppData\Roaming\dihsw\chmac.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	199168
Entropy (8bit):	5.818353923098329
Encrypted:	false
SSDEEP:	6144:sUtJEr7mQNzZ/vDXqxnfNahvFp1cck4X3rm6v:snCYFD6TG9pjni6v
MD5:	83A517CDC6B25A8B9EEE20AD2AD4885D
SHA1:	7108BB963BA45544F7B3138329CA56EEB8DE86CC
SHA-256:	1F2B96F19BBB393643B033507D0B824321CABFFD596F991443999097B1031179
SHA-512:	60BF20CF9C4262E74F2B506A1D5F02A2977E625139118C2E694A52264A6ED2E0B552FD2ACFDC9B2A842813F5E028B5AFC052202633397780CDCAE03721DE9396
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,...B...B...B.......B..C...B...C...B.a.F...B.a.B...B.d.....B.a.@...B.Rich..B.........PE..L...;G.a...........!.........................................................@............@.......................................... .......................0..x....................................................................................text...k........................... ..`.rdata..2...........................@..@.rsrc........ ......................@..@.reloc..x....0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\whpiswzko Download File
Process:	C:\Users\user\Desktop\filedata.exe
File Type:	data
Category:	dropped
Size (bytes):	7050
Entropy (8bit):	6.118390401908822
Encrypted:	false
SSDEEP:	192:QARpwFiGOPfrYJTdqMHrt5DDAnB96FUQCHQrRLhAKYoqA:+ifrejrU4AHIjAKY1A
MD5:	7FDBC0E9C2A4809011EBAF2722B58622
SHA1:	4B87C4B0BA5E681880FFAEDAC29744487DD3DDB2
SHA-256:	2B4D46A91010087F8B30D49470C9D0819ADF0F44EE1684C1CCA5F732CE2ACA62
SHA-512:	DEC7E80F10350A680FF316469FBFD2817B4937157082571AE4F859B837BA04489BC21B968C941B7769AF2CA07698B7111A9B748FA12EB5530367959FD96B08F0
Malicious:	false
Reputation:	unknown
Preview:	.t....C...L....).....&...l...&.....)..........)........A........E.tE.p......A........E.\|E.x......A....{...E..E........A........E..E......R"..#.....5E.lE..C.....[.E..E..C..C..A..[z"....C.....A..E....E)...."[..........)...t...\|....M....M...l.....I...'.C..'.E..........tM.C...E...)..................C)...C.....C......C......&....C..C.S....C..C.C..C..E..C...E..C..C.LC..E.C..C..C.....$................$&.o..&...........$..3...............C......&...........A.tE........C.....C..LE..C...E.........I..C..5"..#..E..tE..pA..5"...m.E..tE..p"."..#..A..t.$&.o..}.....~...E....A..........E........)..........C..C......C...L...&...........A..E........C.....C..LE..C...E.........I.HB...C..5"..#..E...E...C..5"...m.E...E...C..5"..}mE...E...C..[."..#z.E...E...A..5"...m.E...E..."."..#..A....$...........k...E........C..C..E..................W...E........)..........C..C.....C...........A..E........C.....C..LE..C...E....."...I..C..5"..#..E...E...C..5"...m.E...E..."."..#..A...$..3............E......

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Users\user\Desktop\filedata.exe
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	7.089541637477408
Encrypted:	false
SSDEEP:	3:XrURGizD7cnRNGbgCFKRNX/pBK0jCV83ne+VdWPiKgmR7kkmefoeLBizbCuVkqYM:X4LDAnybgCFcps0OafmCYDlizZr/i/Oh
MD5:	9E7D0351E4DF94A9B0BADCEB6A9DB963
SHA1:	76C6A69B1C31CEA2014D1FD1E222A3DD1E433005
SHA-256:	AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
SHA-512:	93CCF7E046A3C403ECF8BC4F1A8850BA0180FE18926C98B297C5214EB77BC212C8FBCC58412D0307840CF2715B63BE68BACDA95AA98E82835C5C53F17EF38511
Malicious:	false
Reputation:	unknown
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\filedata.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:fJp8:fJp8
MD5:	9C9A932073E898A03B937105A5D91C30
SHA1:	3B53F50CF4EC7E40913CFBD2279E34E984CF309A
SHA-256:	3B4B7E29ADF8FF8CF49CDB924DE689CDB735A12EBD78DD29537E81A9454E9631
SHA-512:	C06CFE30E6DC392F0B9552685C3D47C190D5C308EB2B8BAEE4E60A9C1C25AF20B002A62EFC8911D70C828BE4C48818408C9E78C060BBC035400BEA76D14800DF
Malicious:	true
Reputation:	unknown
Preview:	..l./..H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat Download File
Process:	C:\Users\user\Desktop\filedata.exe
File Type:	data
Category:	dropped
Size (bytes):	426832
Entropy (8bit):	7.999527918131335
Encrypted:	true
SSDEEP:	6144:zKfHbamD8WN+JQYrjM7Ei2CsFJjyh9zvgPonV5HqZcPVT4Eb+Z6no3QSzjeMsdF/:zKf137EiDsTjevgArYcPVLoTQS+0iv
MD5:	653DDDCB6C89F6EC51F3DDC0053C5914
SHA1:	4CF7E7D42495CE01C261E4C5C4B8BF6CD76CCEE5
SHA-256:	83B9CAE66800C768887FB270728F6806CBEBDEAD9946FA730F01723847F17FF9
SHA-512:	27A467F2364C21CD1C6C34EF1CA5FFB09B4C3180FC9C025E293374EB807E4382108617BB4B97F8EBBC27581CD6E5988BB5E21276B3CB829C1C0E49A6FC9463A0
Malicious:	false
Reputation:	unknown
Preview:	..g&jo...IPg...GM....R>i...o...I.>.&.r{....8...}...E....v.!7.u3e.. .....db...}.......".t(.xC9.cp.B....7...'.......%......w.^.._.......B.W%.<..i.0.{9.xS...5...)..w..$..C..?`F..u.5.T.X.w'Si..z.n{...Y!m...RA...xg....[7...z..9@.K.-...T..+.ACe....R....enO.....AoNMT.\^....}H&..4I...B.:..@..J...v..rI5..kP......2j....B..B.~.T..>.c..emW;Rn<9..[.r.o....R[....@=...:...L.g<.....I..%4[.G^.~.l'......v.p&.........+..S...9d/.{..H.`@.1..........f.\s...X.a.].<.h...J4...k.x....%3.......3.c..?%....>.!.}..)(.{...H...3..`'].Q.[sN..JX(.%pH....+......(...v.....H...3..8.a_..J..?4...y.N(..D.h..g.jD..I...44Q?..N......oX.A......l...n?./..........$.!..;.^9"H...........OkF....v.m_.e.v..f...."..bq{.....O.-....%R+...-..P.i..t5....2Z# ...#...,L..{..j..heT -=Z.P;...g.m)<owJ].J..../.p..8.u8.&..#.m9...j%..g&....g.x.I,....u.[....>./W...........X...bZ...ex.0..x.}.....Tb...[..H_M._.^N.d&...g._."@4N.pDs].GbT.......&p........Nw...%$=.....{..J.1....2....<E{..<!G..

C:\Users\user\AppData\Roaming\dihsw\chmac.exe Download File
Process:	C:\Users\user\Desktop\filedata.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	784599
Entropy (8bit):	6.041735231045258
Encrypted:	false
SSDEEP:	6144:lwq9qYuoyUjNf5JXRf4RkwTxMiDWkFhvCZyHvV9unFgG9+RVB0qQVDK9gY2wZF+Z:oYuoLl5JRfO/dEyHbuqlt2wZbw
MD5:	2CE21C68E4D03F35248689663DC820DE
SHA1:	5963D9D448D322CB49F4DEE613734FE030131C11
SHA-256:	93D545C83FA462035AE0C2AA0036DB008FC4BDF3D10EC89C6F0B6699B09C6FBF
SHA-512:	2DD9A30D892FC0415976BDEB257658CFCC876A0B3935027E41E67D9272CC8DC3D4CCF882213DBA62653169AD159777CDF1E2866E98308FD05B78DF052437C122
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................Z..........%2.......p....@..........................p...............................................s.......................................................................................p...............................text...vY.......Z.................. ..`.rdata.......p.......^..............@..@.data................p..............@....ndata.......@...........................rsrc................t..............@..@........................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	6.041735231045258
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	filedata.exe
File size:	784599
MD5:	2ce21c68e4d03f35248689663dc820de
SHA1:	5963d9d448d322cb49f4dee613734fe030131c11
SHA256:	93d545c83fa462035ae0c2aa0036db008fc4bdf3d10ec89c6f0b6699b09c6fbf
SHA512:	2dd9a30d892fc0415976bdeb257658cfcc876a0b3935027e41e67d9272cc8dc3d4ccf882213dba62653169ad159777cdf1e2866e98308fd05b78df052437c122
SSDEEP:	6144:lwq9qYuoyUjNf5JXRf4RkwTxMiDWkFhvCZyHvV9unFgG9+RVB0qQVDK9gY2wZF+Z:oYuoLl5JRfO/dEyHbuqlt2wZbw
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................Z..........%2.....

File Icon


Icon Hash:	d8c8d0d0f0ccd4d0

Static PE Info

General
Entrypoint:	0x403225
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x48EFCDC9 [Fri Oct 10 21:48:57 2008 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	099c0646ea7282d232219f8807883be0

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409128h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push 00008001h
call dword ptr [004070B4h]
push ebx
call dword ptr [0040727Ch]
push 00000008h
mov dword ptr [00423F58h], eax
call 00007F4534DCA780h
mov dword ptr [00423EA4h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 0041F450h
call dword ptr [00407158h]
push 004091B0h
push 004236A0h
call 00007F4534DCA437h
call dword ptr [004070B0h]
mov edi, 00429000h
push eax
push edi
call 00007F4534DCA425h
push ebx
call dword ptr [0040710Ch]
cmp byte ptr [00429000h], 00000022h
mov dword ptr [00423EA0h], eax
mov eax, edi
jne 00007F4534DC7C4Ch
mov byte ptr [esp+14h], 00000022h
mov eax, 00429001h
push dword ptr [esp+14h]
push eax
call 00007F4534DC9F18h
push eax
call dword ptr [0040721Ch]
mov dword ptr [esp+1Ch], eax
jmp 00007F4534DC7CA5h
cmp cl, 00000020h
jne 00007F4534DC7C48h
inc eax
cmp byte ptr [eax], 00000020h
je 00007F4534DC7C3Ch
cmp byte ptr [eax], 00000022h
mov byte ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x5ac80	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5976	0x5a00	False	0.668619791667	data	6.46680044621	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1190	0x1200	False	0.444878472222	data	5.17796812871	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1af98	0x400	False	0.55078125	data	4.68983486809	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x24000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x5ac80	0x5ae00	False	0.0282652381362	data	2.14570825877	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2c280	0x42028	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x6e2a8	0x10828	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x7ead0	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x82cf8	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x852a0	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x86348	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x867b0	0x100	data	English	United States
RT_DIALOG	0x868b0	0x11c	data	English	United States
RT_DIALOG	0x869d0	0x60	data	English	United States
RT_GROUP_ICON	0x86a30	0x5a	data	English	United States
RT_MANIFEST	0x86a90	0x1eb	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/13/22-23:30:03.114899	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	57875	8.8.8.8	192.168.2.3
01/13/22-23:30:09.487899	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	54154	8.8.8.8	192.168.2.3
01/13/22-23:30:16.674902	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	52806	8.8.8.8	192.168.2.3
01/13/22-23:30:23.300895	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	64021	8.8.8.8	192.168.2.3
01/13/22-23:30:29.657068	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	60784	8.8.8.8	192.168.2.3
01/13/22-23:31:04.814602	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	57106	8.8.8.8	192.168.2.3
01/13/22-23:31:29.966209	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	64367	8.8.8.8	192.168.2.3
01/13/22-23:31:49.350900	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	50585	8.8.8.8	192.168.2.3
01/13/22-23:31:55.654415	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	63456	8.8.8.8	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2022 23:30:03.124927044 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:03.336703062 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:03.336823940 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:03.372575045 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:03.629837990 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:03.630289078 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:03.898124933 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:03.898195028 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:04.111376047 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:04.111598015 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:04.367219925 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:04.367336035 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:04.636537075 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:04.636598110 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:04.667598009 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:04.667722940 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:04.667794943 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:04.667817116 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:04.667845964 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:04.667905092 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:04.667947054 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:04.668003082 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:04.879739046 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:04.879793882 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:04.879858017 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:04.879894018 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:04.879909992 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:04.880047083 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:04.880117893 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:04.880212069 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:04.880234957 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:04.880268097 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:04.880306005 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:04.880408049 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:04.880461931 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:04.880578041 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:04.880631924 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:05.096484900 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:05.096632957 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:05.096669912 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:05.096738100 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:05.096837044 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:05.096892118 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:05.097032070 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:05.097083092 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:05.097219944 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:05.097270966 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:05.097524881 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:05.097573996 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:05.097979069 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:05.098031044 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:05.098144054 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:05.098195076 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:05.098300934 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:05.098349094 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:05.098371983 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:05.098417997 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:05.098675013 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:05.098733902 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:05.098788023 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:05.099076986 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:05.099148989 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:05.099204063 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:05.099384069 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:05.099414110 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:05.099442005 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:05.099466085 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:05.099577904 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:05.099641085 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:05.162321091 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:05.308963060 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:05.309088945 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:05.325701952 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:05.325815916 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:05.328002930 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:05.328088999 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:05.328135014 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:05.328191042 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:05.328447104 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:05.328569889 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:05.328607082 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:05.328660011 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:05.328674078 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:05.328722954 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:05.328819036 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:05.328877926 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:05.329273939 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:05.329441071 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:05.329462051 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:05.329509974 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:05.329624891 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:05.329673052 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:05.329808950 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:05.329857111 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:05.329982996 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:05.330033064 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:05.330179930 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:05.330244064 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 23:30:05.330322027 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 23:30:05.330372095 CET	49745	5100	192.168.2.3	194.5.98.28

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2022 23:30:02.870904922 CET	57875	53	192.168.2.3	8.8.8.8
Jan 13, 2022 23:30:03.114898920 CET	53	57875	8.8.8.8	192.168.2.3
Jan 13, 2022 23:30:09.373775005 CET	54154	53	192.168.2.3	8.8.8.8
Jan 13, 2022 23:30:09.487899065 CET	53	54154	8.8.8.8	192.168.2.3
Jan 13, 2022 23:30:16.561302900 CET	52806	53	192.168.2.3	8.8.8.8
Jan 13, 2022 23:30:16.674901962 CET	53	52806	8.8.8.8	192.168.2.3
Jan 13, 2022 23:30:23.187381983 CET	64021	53	192.168.2.3	8.8.8.8
Jan 13, 2022 23:30:23.300894976 CET	53	64021	8.8.8.8	192.168.2.3
Jan 13, 2022 23:30:29.544877052 CET	60784	53	192.168.2.3	8.8.8.8
Jan 13, 2022 23:30:29.657068014 CET	53	60784	8.8.8.8	192.168.2.3
Jan 13, 2022 23:30:35.862909079 CET	51143	53	192.168.2.3	8.8.8.8
Jan 13, 2022 23:30:35.880496979 CET	53	51143	8.8.8.8	192.168.2.3
Jan 13, 2022 23:30:42.131566048 CET	49572	53	192.168.2.3	8.8.8.8
Jan 13, 2022 23:30:42.150928020 CET	53	49572	8.8.8.8	192.168.2.3
Jan 13, 2022 23:30:48.426723957 CET	49559	53	192.168.2.3	8.8.8.8
Jan 13, 2022 23:30:48.446316004 CET	53	49559	8.8.8.8	192.168.2.3
Jan 13, 2022 23:30:54.613883972 CET	53615	53	192.168.2.3	8.8.8.8
Jan 13, 2022 23:30:54.632702112 CET	53	53615	8.8.8.8	192.168.2.3
Jan 13, 2022 23:30:59.355778933 CET	50728	53	192.168.2.3	8.8.8.8
Jan 13, 2022 23:30:59.375061989 CET	53	50728	8.8.8.8	192.168.2.3
Jan 13, 2022 23:31:04.701240063 CET	57106	53	192.168.2.3	8.8.8.8
Jan 13, 2022 23:31:04.814601898 CET	53	57106	8.8.8.8	192.168.2.3
Jan 13, 2022 23:31:11.947314024 CET	60352	53	192.168.2.3	8.8.8.8
Jan 13, 2022 23:31:11.966460943 CET	53	60352	8.8.8.8	192.168.2.3
Jan 13, 2022 23:31:16.616014957 CET	56773	53	192.168.2.3	8.8.8.8
Jan 13, 2022 23:31:16.635252953 CET	53	56773	8.8.8.8	192.168.2.3
Jan 13, 2022 23:31:22.897260904 CET	60982	53	192.168.2.3	8.8.8.8
Jan 13, 2022 23:31:22.916559935 CET	53	60982	8.8.8.8	192.168.2.3
Jan 13, 2022 23:31:29.851943970 CET	64367	53	192.168.2.3	8.8.8.8
Jan 13, 2022 23:31:29.966208935 CET	53	64367	8.8.8.8	192.168.2.3
Jan 13, 2022 23:31:36.113398075 CET	51539	53	192.168.2.3	8.8.8.8
Jan 13, 2022 23:31:36.133018017 CET	53	51539	8.8.8.8	192.168.2.3
Jan 13, 2022 23:31:43.051018000 CET	55393	53	192.168.2.3	8.8.8.8
Jan 13, 2022 23:31:43.070338964 CET	53	55393	8.8.8.8	192.168.2.3
Jan 13, 2022 23:31:49.237736940 CET	50585	53	192.168.2.3	8.8.8.8
Jan 13, 2022 23:31:49.350899935 CET	53	50585	8.8.8.8	192.168.2.3
Jan 13, 2022 23:31:55.541038036 CET	63456	53	192.168.2.3	8.8.8.8
Jan 13, 2022 23:31:55.654414892 CET	53	63456	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 13, 2022 23:30:02.870904922 CET	192.168.2.3	8.8.8.8	0x831b	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 23:30:09.373775005 CET	192.168.2.3	8.8.8.8	0xeaa2	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 23:30:16.561302900 CET	192.168.2.3	8.8.8.8	0x9112	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 23:30:23.187381983 CET	192.168.2.3	8.8.8.8	0xd6c9	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 23:30:29.544877052 CET	192.168.2.3	8.8.8.8	0x9289	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 23:30:35.862909079 CET	192.168.2.3	8.8.8.8	0x35ae	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 23:30:42.131566048 CET	192.168.2.3	8.8.8.8	0x985e	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 23:30:48.426723957 CET	192.168.2.3	8.8.8.8	0xf81b	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 23:30:54.613883972 CET	192.168.2.3	8.8.8.8	0x5193	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 23:30:59.355778933 CET	192.168.2.3	8.8.8.8	0xc294	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 23:31:04.701240063 CET	192.168.2.3	8.8.8.8	0xf140	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 23:31:11.947314024 CET	192.168.2.3	8.8.8.8	0xf671	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 23:31:16.616014957 CET	192.168.2.3	8.8.8.8	0x5ddc	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 23:31:22.897260904 CET	192.168.2.3	8.8.8.8	0x8ef1	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 23:31:29.851943970 CET	192.168.2.3	8.8.8.8	0x1c99	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 23:31:36.113398075 CET	192.168.2.3	8.8.8.8	0x885e	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 23:31:43.051018000 CET	192.168.2.3	8.8.8.8	0xae31	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 23:31:49.237736940 CET	192.168.2.3	8.8.8.8	0x2086	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 23:31:55.541038036 CET	192.168.2.3	8.8.8.8	0xde21	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 13, 2022 23:30:03.114898920 CET	8.8.8.8	192.168.2.3	0x831b	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 23:30:09.487899065 CET	8.8.8.8	192.168.2.3	0xeaa2	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 23:30:16.674901962 CET	8.8.8.8	192.168.2.3	0x9112	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 23:30:23.300894976 CET	8.8.8.8	192.168.2.3	0xd6c9	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 23:30:29.657068014 CET	8.8.8.8	192.168.2.3	0x9289	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 23:30:35.880496979 CET	8.8.8.8	192.168.2.3	0x35ae	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 23:30:42.150928020 CET	8.8.8.8	192.168.2.3	0x985e	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 23:30:48.446316004 CET	8.8.8.8	192.168.2.3	0xf81b	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 23:30:54.632702112 CET	8.8.8.8	192.168.2.3	0x5193	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 23:30:59.375061989 CET	8.8.8.8	192.168.2.3	0xc294	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 23:31:04.814601898 CET	8.8.8.8	192.168.2.3	0xf140	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 23:31:11.966460943 CET	8.8.8.8	192.168.2.3	0xf671	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 23:31:16.635252953 CET	8.8.8.8	192.168.2.3	0x5ddc	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 23:31:22.916559935 CET	8.8.8.8	192.168.2.3	0x8ef1	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 23:31:29.966208935 CET	8.8.8.8	192.168.2.3	0x1c99	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 23:31:36.133018017 CET	8.8.8.8	192.168.2.3	0x885e	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 23:31:43.070338964 CET	8.8.8.8	192.168.2.3	0xae31	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 23:31:49.350899935 CET	8.8.8.8	192.168.2.3	0x2086	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 23:31:55.654414892 CET	8.8.8.8	192.168.2.3	0xde21	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: filedata.exe PID: 6760 Parent PID: 5712

General

Start time:	23:29:52
Start date:	13/01/2022
Path:	C:\Users\user\Desktop\filedata.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\filedata.exe"
Imagebase:	0x400000
File size:	784599 bytes
MD5 hash:	2CE21C68E4D03F35248689663DC820DE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.300538390.00000000023A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.300538390.00000000023A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.300538390.00000000023A0000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.300538390.00000000023A0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: filedata.exe PID: 6220 Parent PID: 6760

General

Start time:	23:29:54
Start date:	13/01/2022
Path:	C:\Users\user\Desktop\filedata.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\filedata.exe"
Imagebase:	0x400000
File size:	784599 bytes
MD5 hash:	2CE21C68E4D03F35248689663DC820DE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000000.298557071.0000000000414000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000000.298557071.0000000000414000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000000.298557071.0000000000414000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.561118810.00000000023B0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.561118810.00000000023B0000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.561118810.00000000023B0000.00000004.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.561118810.00000000023B0000.00000004.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.563662225.00000000053E0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.563662225.00000000053E0000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.561439821.00000000027A1000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.564073879.0000000005420000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.564073879.0000000005420000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000000.297190479.0000000000414000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000000.297190479.0000000000414000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000000.297190479.0000000000414000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.562912360.0000000004A30000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.562912360.0000000004A30000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.563590904.00000000053D0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.563590904.00000000053D0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.563438389.00000000053B0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.563438389.00000000053B0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.561228467.00000000023F2000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.561228467.00000000023F2000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.561228467.00000000023F2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.562570219.0000000003B61000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.562570219.0000000003B61000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.556140287.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.556140287.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.556140287.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.556140287.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.564478287.0000000005480000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.564478287.0000000005480000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.564299116.0000000005450000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.564299116.0000000005450000.00000004.00020000.sdmp, Author: Florian Roth Rule: NanoCore, Description: unknown, Source: 00000005.00000002.561605323.00000000027F4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.563389843.0000000005390000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.563389843.0000000005390000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.562144773.00000000037D5000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.562144773.00000000037D5000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.563083334.0000000004BC0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.563083334.0000000004BC0000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.563083334.0000000004BC0000.00000004.00020000.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.563764546.00000000053F0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.563764546.00000000053F0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.563059058.0000000004BB0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.563059058.0000000004BB0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000001.299308522.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000001.299308522.0000000000414000.00000040.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000001.299308522.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.562195683.0000000003832000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.559328771.0000000000614000.00000004.00000020.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.559328771.0000000000614000.00000004.00000020.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.559328771.0000000000614000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: NanoCore, Description: unknown, Source: 00000005.00000002.561892124.0000000002958000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.563366604.0000000005370000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.563366604.0000000005370000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.563890986.0000000005400000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.563890986.0000000005400000.00000004.00020000.sdmp, Author: Florian Roth Rule: NanoCore, Description: unknown, Source: 00000005.00000002.562427187.0000000003A5C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.564263969.0000000005440000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.564263969.0000000005440000.00000004.00020000.sdmp, Author: Florian Roth
Reputation:	low

Analysis Process: chmac.exe PID: 2812 Parent PID: 3352

General

Start time:	23:30:03
Start date:	13/01/2022
Path:	C:\Users\user\AppData\Roaming\dihsw\chmac.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\dihsw\chmac.exe"
Imagebase:	0x400000
File size:	784599 bytes
MD5 hash:	2CE21C68E4D03F35248689663DC820DE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.330799074.00000000032C0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.330799074.00000000032C0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.330799074.00000000032C0000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.330799074.00000000032C0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: chmac.exe PID: 6352 Parent PID: 2812

General

Start time:	23:30:05
Start date:	13/01/2022
Path:	C:\Users\user\AppData\Roaming\dihsw\chmac.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\dihsw\chmac.exe"
Imagebase:	0x400000
File size:	784599 bytes
MD5 hash:	2CE21C68E4D03F35248689663DC820DE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000000.327164969.0000000000414000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000000.327164969.0000000000414000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000000.327164969.0000000000414000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.345221899.000000000364A000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000002.345221899.000000000364A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.345524498.00000000047C0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.345524498.00000000047C0000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.345524498.00000000047C0000.00000004.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000002.345524498.00000000047C0000.00000004.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000001.328667049.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000001.328667049.0000000000414000.00000040.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000001.328667049.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.345668628.0000000004812000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.345668628.0000000004812000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000002.345668628.0000000004812000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.345117243.0000000003611000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.345117243.0000000003611000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000002.345117243.0000000003611000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.344185437.0000000000627000.00000004.00000020.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.344185437.0000000000627000.00000004.00000020.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000002.344185437.0000000000627000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: NanoCore, Description: unknown, Source: 00000008.00000002.345062402.000000000261E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.343717430.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.343717430.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.343717430.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000002.343717430.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000000.325598662.0000000000414000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000000.325598662.0000000000414000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000000.325598662.0000000000414000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: chmac.exe PID: 4476 Parent PID: 3352

General

Start time:	23:30:11
Start date:	13/01/2022
Path:	C:\Users\user\AppData\Roaming\dihsw\chmac.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\dihsw\chmac.exe"
Imagebase:	0x400000
File size:	784599 bytes
MD5 hash:	2CE21C68E4D03F35248689663DC820DE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.345786625.0000000003180000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.345786625.0000000003180000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.345786625.0000000003180000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000009.00000002.345786625.0000000003180000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: chmac.exe PID: 6968 Parent PID: 4476

General

Start time:	23:30:14
Start date:	13/01/2022
Path:	C:\Users\user\AppData\Roaming\dihsw\chmac.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\dihsw\chmac.exe"
Imagebase:	0x400000
File size:	784599 bytes
MD5 hash:	2CE21C68E4D03F35248689663DC820DE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.361160585.0000000004920000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.361160585.0000000004920000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.361160585.0000000004920000.00000004.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.361160585.0000000004920000.00000004.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.361229829.0000000004962000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.361229829.0000000004962000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.361229829.0000000004962000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.360739917.00000000006C4000.00000004.00000020.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.360739917.00000000006C4000.00000004.00000020.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.360739917.00000000006C4000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000001.343397650.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000001.343397650.0000000000414000.00000040.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000B.00000001.343397650.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.360475057.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.360475057.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.360475057.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.360475057.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000000.342661979.0000000000414000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000000.342661979.0000000000414000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000B.00000000.342661979.0000000000414000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.361051688.000000000381A000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.361051688.000000000381A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000000.341500174.0000000000414000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000000.341500174.0000000000414000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000B.00000000.341500174.0000000000414000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.360974701.00000000027EE000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.361014751.00000000037E1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.361014751.00000000037E1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.361014751.00000000037E1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report filedata

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

Stealing of Sensitive Information:

Remote Access Functionality:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre