Edit tour

Windows Analysis Report
QUOTATION.exe

Overview

General Information

Sample Name:	QUOTATION.exe
Analysis ID:	624514
MD5:	dbffb4682e330d635295ccdd92fe99c4
SHA1:	ba03bbac64d96bfbd3067803a8b08466b8fb0d3a
SHA256:	011c5f305852ea8ef82a26bae0d7b6f59fd70f431b91edb25df06863e0001bc0
Tags:	exeNanoCoreQuotation
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Antivirus detection for URL or domain

Yara detected Nanocore RAT

Snort IDS alert for network traffic

Initial sample is a PE file and has a suspicious name

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses dynamic DNS services

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Detected TCP or UDP traffic on non-standard ports

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

QUOTATION.exe (PID: 636 cmdline: "C:\Users\user\Desktop\QUOTATION.exe" MD5: DBFFB4682E330D635295CCDD92FE99C4)

QUOTATION.exe (PID: 1052 cmdline: C:\Users\user\Desktop\QUOTATION.exe MD5: DBFFB4682E330D635295CCDD92FE99C4)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "fe56abb4-cb76-44f1-89b4-7bb11730", "Group": "Default", "Domain1": "deranano2.ddns.net", "Port": 1187, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.641608734.0000000006B90000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
00000005.00000002.641608734.0000000006B90000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
00000005.00000002.641608734.0000000006B90000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x227f:$x2: NanoCore.ClientPlugin 0x2205:$x3: NanoCore.ClientPluginHost 0x2295:$i3: IClientNetwork 0x221f:$i6: IClientLoggingHost 0x223e:$i7: IClientNetworkHost 0x1f9f:$s1: ClientPlugin 0x2288:$s1: ClientPlugin
00000005.00000000.411957545.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000000.411957545.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000000.411957545.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000005.00000002.641634528.0000000006BB0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
00000005.00000002.641634528.0000000006BB0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
00000005.00000002.641634528.0000000006BB0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5ad5:$x2: NanoCore.ClientPlugin 0x59eb:$x3: NanoCore.ClientPluginHost 0x5aeb:$i3: IClientNetwork 0x5a24:$i5: IClientDataHost 0x5a05:$i6: IClientLoggingHost 0x5b48:$i7: IClientNetworkHost 0x5a43:$i8: IClientUIHost 0x6955:$i9: IClientNameObjectCollection 0x54fc:$s1: ClientPlugin 0x5ade:$s1: ClientPlugin 0x6971:$s6: get_ClientSettings
00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x55def:$a: NanoCore 0x55ed9:$a: NanoCore 0x56d50:$a: NanoCore 0x5fefa:$a: NanoCore 0x5ff5b:$a: NanoCore 0x5ff9e:$a: NanoCore 0x5ffde:$a: NanoCore 0x6021a:$a: NanoCore 0x602ba:$a: NanoCore 0x60a92:$a: NanoCore 0x61085:$a: NanoCore 0x611d6:$a: NanoCore 0x62030:$a: NanoCore 0x62297:$a: NanoCore 0x622ac:$a: NanoCore 0x622cb:$a: NanoCore 0x6b1ce:$a: NanoCore 0x6b1f7:$a: NanoCore 0x76f70:$a: NanoCore 0x76f99:$a: NanoCore 0x9be5c:$a: NanoCore
00000005.00000002.641805213.0000000006EA0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
00000005.00000002.641805213.0000000006EA0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
00000005.00000002.641805213.0000000006EA0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
00000005.00000002.641707073.0000000006D20000.00000004.00000001.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
00000005.00000002.641707073.0000000006D20000.00000004.00000001.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
00000005.00000002.641707073.0000000006D20000.00000004.00000001.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x5b86:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x59d4:$s1: ClientPlugin 0x5b79:$s1: ClientPlugin 0x5e84:$s2: EndPoint 0x5e8d:$s3: IPAddress 0x5e97:$s4: IPEndPoint
00000005.00000002.638035787.0000000003B21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.641622424.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
00000005.00000002.641622424.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
00000005.00000002.641622424.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x13f2:$x2: NanoCore.ClientPlugin 0x13a8:$x3: NanoCore.ClientPluginHost 0x1408:$i3: IClientNetwork 0x13c2:$i6: IClientLoggingHost 0x1185:$s1: ClientPlugin 0x13fb:$s1: ClientPlugin
00000005.00000000.411127213.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000000.411127213.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000000.411127213.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000005.00000002.630920607.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000002.630920607.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.630920607.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000005.00000002.641872775.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
00000005.00000002.641872775.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
00000005.00000002.641872775.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5fc9:$x2: NanoCore.ClientPlugin 0x5fee:$x3: NanoCore.ClientPluginHost 0x5fba:$i3: IClientNetwork 0x5fdf:$i4: IClientAppHost 0x6008:$i5: IClientDataHost 0x6018:$i6: IClientLoggingHost 0x602b:$i7: IClientNetworkHost 0x603e:$i8: IClientUIHost 0x604c:$i9: IClientNameObjectCollection 0x5d70:$s1: ClientPlugin 0x5fd2:$s1: ClientPlugin
00000005.00000002.641519626.0000000006B40000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
00000005.00000002.641519626.0000000006B40000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
00000005.00000002.641519626.0000000006B40000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork 0x8b95:$i5: IClientDataHost 0x8bbf:$i6: IClientLoggingHost 0x8bd2:$i7: IClientNetworkHost 0x8be5:$i9: IClientNameObjectCollection 0x8902:$s1: ClientPlugin 0x8b88:$s1: ClientPlugin
00000005.00000002.640012845.0000000003D4E000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x52a2:$a: NanoCore 0x5303:$a: NanoCore 0x5346:$a: NanoCore 0x5386:$a: NanoCore 0x55c2:$a: NanoCore 0x5662:$a: NanoCore 0x5e3a:$a: NanoCore 0x642d:$a: NanoCore 0x657e:$a: NanoCore 0x73d8:$a: NanoCore 0x763f:$a: NanoCore 0x7654:$a: NanoCore 0x7673:$a: NanoCore 0x10576:$a: NanoCore 0x1059f:$a: NanoCore 0x1c318:$a: NanoCore 0x1c341:$a: NanoCore 0x41204:$a: NanoCore 0x4121c:$a: NanoCore 0x41245:$a: NanoCore 0x50648:$a: NanoCore
00000005.00000002.641679892.0000000006D00000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
00000005.00000002.641679892.0000000006D00000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
00000005.00000002.641679892.0000000006D00000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0x3a43:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0x3a24:$i7: IClientNetworkHost 0x426c:$i9: IClientNameObjectCollection 0x3741:$s1: ClientPlugin 0x3a94:$s1: ClientPlugin 0x4680:$s2: EndPoint 0x4371:$s3: IPAddress 0x3c83:$s4: IPEndPoint 0x43a3:$s7: get_Connected
00000005.00000002.633949267.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.633949267.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x37fd7:$a: NanoCore 0x38030:$a: NanoCore 0x3806d:$a: NanoCore 0x380e6:$a: NanoCore 0x4b14a:$a: NanoCore 0x4b16f:$a: NanoCore 0x4b1c8:$a: NanoCore 0x5b3cb:$a: NanoCore 0x5b3f1:$a: NanoCore 0x5b44d:$a: NanoCore 0x38039:$b: ClientPlugin 0x38076:$b: ClientPlugin 0x38974:$b: ClientPlugin 0x38981:$b: ClientPlugin 0x4af41:$b: ClientPlugin 0x4af52:$b: ClientPlugin 0x4af82:$b: ClientPlugin 0x4b153:$b: ClientPlugin 0x4b178:$b: ClientPlugin 0x5b107:$b: ClientPlugin 0x5b11e:$b: ClientPlugin
00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x123a3:$a: NanoCore 0x123fc:$a: NanoCore 0x1242f:$a: NanoCore 0x1265b:$a: NanoCore 0x126d7:$a: NanoCore 0x12cf0:$a: NanoCore 0x12e39:$a: NanoCore 0x1330d:$a: NanoCore 0x135f4:$a: NanoCore 0x1360b:$a: NanoCore 0x1c4bb:$a: NanoCore 0x1c537:$a: NanoCore 0x1ee1a:$a: NanoCore 0x243f1:$a: NanoCore 0x2446b:$a: NanoCore 0x2a3d4:$a: NanoCore 0x2a41e:$a: NanoCore 0x2b078:$a: NanoCore 0x33e4f:$a: NanoCore 0x33f39:$a: NanoCore 0x34db0:$a: NanoCore
00000005.00000002.641594280.0000000006B80000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
00000005.00000002.641594280.0000000006B80000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
00000005.00000002.641594280.0000000006B80000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b87:$x2: NanoCore.ClientPlugin 0x5b0b:$x3: NanoCore.ClientPluginHost 0x5b9d:$i3: IClientNetwork 0x5b25:$i6: IClientLoggingHost 0x5b44:$i7: IClientNetworkHost 0x57fb:$s1: ClientPlugin 0x5b90:$s1: ClientPlugin 0x6cf4:$s3: IPAddress
00000005.00000002.640953344.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000005.00000002.640953344.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000005.00000002.640953344.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
00000005.00000002.641582210.0000000006B70000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
00000005.00000002.641582210.0000000006B70000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
00000005.00000002.641582210.0000000006B70000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0x16fd:$i6: IClientLoggingHost 0x171c:$i7: IClientNetworkHost 0x1491:$s1: ClientPlugin 0x1768:$s1: ClientPlugin
00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
00000005.00000000.413349942.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000000.413349942.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000000.413349942.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000005.00000002.641782260.0000000006E90000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
00000005.00000002.641782260.0000000006E90000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
00000005.00000002.641782260.0000000006E90000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x34f8:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x334e:$s1: ClientPlugin 0x34eb:$s1: ClientPlugin
00000005.00000002.641142160.0000000005ED0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
00000005.00000002.641142160.0000000005ED0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
00000005.00000002.641142160.0000000005ED0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x4b87:$i3: IClientNetwork 0x4bac:$i4: IClientAppHost 0x4bd5:$i5: IClientDataHost 0x4be5:$i7: IClientNetworkHost 0x4bf8:$i9: IClientNameObjectCollection 0x4c1d:$i10: IClientReadOnlyNameObjectCollection 0x49ce:$s1: ClientPlugin 0x4b9f:$s1: ClientPlugin
00000001.00000002.416586877.00000000024C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000005.00000000.412616907.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000000.412616907.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000000.412616907.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000001.00000002.418666280.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4e745:$x1: NanoCore.ClientPluginHost 0x80f65:$x1: NanoCore.ClientPluginHost 0x24e22d:$x1: NanoCore.ClientPluginHost 0x4e782:$x2: IClientNetworkHost 0x80fa2:$x2: IClientNetworkHost 0x24e26a:$x2: IClientNetworkHost 0x522b5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x84ad5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x251d9d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.418666280.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.418666280.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4e4ad:$a: NanoCore 0x4e4bd:$a: NanoCore 0x4e6f1:$a: NanoCore 0x4e705:$a: NanoCore 0x4e745:$a: NanoCore 0x80ccd:$a: NanoCore 0x80cdd:$a: NanoCore 0x80f11:$a: NanoCore 0x80f25:$a: NanoCore 0x80f65:$a: NanoCore 0x24df95:$a: NanoCore 0x24dfa5:$a: NanoCore 0x24e1d9:$a: NanoCore 0x24e1ed:$a: NanoCore 0x24e22d:$a: NanoCore 0x4e50c:$b: ClientPlugin 0x4e70e:$b: ClientPlugin 0x4e74e:$b: ClientPlugin 0x80d2c:$b: ClientPlugin 0x80f2e:$b: ClientPlugin 0x80f6e:$b: ClientPlugin
Process Memory Space: QUOTATION.exe PID: 636	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4ce5a:$x1: NanoCore.ClientPluginHost 0x4ce97:$x2: IClientNetworkHost 0x5097f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5b9fd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x678ce:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x8721e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: QUOTATION.exe PID: 636	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: QUOTATION.exe PID: 636	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: QUOTATION.exe PID: 636	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4cb27:$a: NanoCore 0x4cb37:$a: NanoCore 0x4cbf6:$a: NanoCore 0x4cc05:$a: NanoCore 0x4ce06:$a: NanoCore 0x4ce1a:$a: NanoCore 0x4ce5a:$a: NanoCore 0x58067:$a: NanoCore 0x58079:$a: NanoCore 0x580b5:$a: NanoCore 0x63f38:$a: NanoCore 0x63f4a:$a: NanoCore 0x63f86:$a: NanoCore 0x83888:$a: NanoCore 0x8389a:$a: NanoCore 0x838d6:$a: NanoCore 0x4cb86:$b: ClientPlugin 0x4cc4f:$b: ClientPlugin 0x4ce23:$b: ClientPlugin 0x4ce63:$b: ClientPlugin 0x58082:$b: ClientPlugin
Process Memory Space: QUOTATION.exe PID: 1052	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe126:$x1: NanoCore.ClientPluginHost 0x57261:$x1: NanoCore.ClientPluginHost 0x6ea0e:$x1: NanoCore.ClientPluginHost 0x76f50:$x1: NanoCore.ClientPluginHost 0x9951a:$x1: NanoCore.ClientPluginHost 0xaf913:$x1: NanoCore.ClientPluginHost 0xc5baa:$x1: NanoCore.ClientPluginHost 0xf2abc:$x1: NanoCore.ClientPluginHost 0xfd161:$x1: NanoCore.ClientPluginHost 0x12c220:$x1: NanoCore.ClientPluginHost 0x144293:$x1: NanoCore.ClientPluginHost 0x17bf8d:$x1: NanoCore.ClientPluginHost 0x18b9b8:$x1: NanoCore.ClientPluginHost 0x1bdb2b:$x1: NanoCore.ClientPluginHost 0x1d9ddf:$x1: NanoCore.ClientPluginHost 0x21807c:$x1: NanoCore.ClientPluginHost 0x2436e0:$x1: NanoCore.ClientPluginHost 0x269b57:$x1: NanoCore.ClientPluginHost 0x271447:$x1: NanoCore.ClientPluginHost 0x27b8be:$x1: NanoCore.ClientPluginHost 0x2a3013:$x1: NanoCore.ClientPluginHost
Process Memory Space: QUOTATION.exe PID: 1052	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: QUOTATION.exe PID: 1052	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe126:$a: NanoCore 0xe210:$a: NanoCore 0xf042:$a: NanoCore 0x101eb:$a: NanoCore 0x102c6:$a: NanoCore 0x11038:$a: NanoCore 0x12926:$a: NanoCore 0x1293e:$a: NanoCore 0x12970:$a: NanoCore 0x129a2:$a: NanoCore 0x1303f:$a: NanoCore 0x13068:$a: NanoCore 0x130b3:$a: NanoCore 0x1310e:$a: NanoCore 0x1314b:$a: NanoCore 0x13186:$a: NanoCore 0x1339b:$a: NanoCore 0x13430:$a: NanoCore 0x13b71:$a: NanoCore 0x140e8:$a: NanoCore 0x1422c:$a: NanoCore
Click to see the 70 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.QUOTATION.exe.6e90000.33.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
5.2.QUOTATION.exe.6e90000.33.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
5.2.QUOTATION.exe.6e90000.33.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x34f8:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x334e:$s1: ClientPlugin 0x34eb:$s1: ClientPlugin
5.2.QUOTATION.exe.6e90000.33.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
5.2.QUOTATION.exe.6e90000.33.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
5.2.QUOTATION.exe.6e90000.33.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x16e2:$x2: NanoCore.ClientPlugin 0x170b:$x3: NanoCore.ClientPluginHost 0x16d3:$i3: IClientNetwork 0x16f8:$i6: IClientLoggingHost 0x1725:$i7: IClientNetworkHost 0x154e:$s1: ClientPlugin 0x16eb:$s1: ClientPlugin
5.2.QUOTATION.exe.6bb0000.30.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3deb:$x1: NanoCore.ClientPluginHost 0x3f48:$x2: IClientNetworkHost
5.2.QUOTATION.exe.6bb0000.30.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3deb:$x2: NanoCore.ClientPluginHost 0x4d41:$s3: PipeExists 0x3fe1:$s4: PipeCreated 0x3e05:$s5: IClientLoggingHost
5.2.QUOTATION.exe.6bb0000.30.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3ed5:$x2: NanoCore.ClientPlugin 0x3deb:$x3: NanoCore.ClientPluginHost 0x3eeb:$i3: IClientNetwork 0x3e24:$i5: IClientDataHost 0x3e05:$i6: IClientLoggingHost 0x3f48:$i7: IClientNetworkHost 0x3e43:$i8: IClientUIHost 0x4d55:$i9: IClientNameObjectCollection 0x38fc:$s1: ClientPlugin 0x3ede:$s1: ClientPlugin 0x4d71:$s6: get_ClientSettings
5.2.QUOTATION.exe.3d4fbd7.15.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
5.2.QUOTATION.exe.3d4fbd7.15.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
5.2.QUOTATION.exe.3d4fbd7.15.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1e8b:$x2: NanoCore.ClientPlugin 0x1deb:$x3: NanoCore.ClientPluginHost 0x1ea1:$i3: IClientNetwork 0x1e43:$i5: IClientDataHost 0x1e05:$i6: IClientLoggingHost 0x1e24:$i7: IClientNetworkHost 0x266c:$i9: IClientNameObjectCollection 0x1b41:$s1: ClientPlugin 0x1e94:$s1: ClientPlugin 0x2a80:$s2: EndPoint 0x2771:$s3: IPAddress 0x2083:$s4: IPEndPoint 0x27a3:$s7: get_Connected
5.2.QUOTATION.exe.5c64629.21.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
5.2.QUOTATION.exe.5c64629.21.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
5.2.QUOTATION.exe.5c64629.21.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.QUOTATION.exe.5c64629.21.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
5.2.QUOTATION.exe.6b80000.27.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
5.2.QUOTATION.exe.6b80000.27.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
5.2.QUOTATION.exe.6b80000.27.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b87:$x2: NanoCore.ClientPlugin 0x5b0b:$x3: NanoCore.ClientPluginHost 0x5b9d:$i3: IClientNetwork 0x5b25:$i6: IClientLoggingHost 0x5b44:$i7: IClientNetworkHost 0x57fb:$s1: ClientPlugin 0x5b90:$s1: ClientPlugin 0x6cf4:$s3: IPAddress
5.2.QUOTATION.exe.5ed0000.24.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
5.2.QUOTATION.exe.5ed0000.24.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
5.2.QUOTATION.exe.5ed0000.24.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x4b87:$i3: IClientNetwork 0x4bac:$i4: IClientAppHost 0x4bd5:$i5: IClientDataHost 0x4be5:$i7: IClientNetworkHost 0x4bf8:$i9: IClientNameObjectCollection 0x4c1d:$i10: IClientReadOnlyNameObjectCollection 0x49ce:$s1: ClientPlugin 0x4b9f:$s1: ClientPlugin
5.2.QUOTATION.exe.3ade5cf.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
5.2.QUOTATION.exe.3ade5cf.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
5.2.QUOTATION.exe.3ade5cf.10.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1a513:$x2: NanoCore.ClientPlugin 0x1a53c:$x3: NanoCore.ClientPluginHost 0x1a504:$i3: IClientNetwork 0x1a529:$i6: IClientLoggingHost 0x1a556:$i7: IClientNetworkHost 0x1a569:$i8: IClientUIHost 0x1a273:$s1: ClientPlugin 0x1a51c:$s1: ClientPlugin
5.2.QUOTATION.exe.3ad9930.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
5.2.QUOTATION.exe.3ad9930.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
5.2.QUOTATION.exe.3ad9930.9.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1d3b2:$x2: NanoCore.ClientPlugin 0x1d3db:$x3: NanoCore.ClientPluginHost 0x1d3a3:$i3: IClientNetwork 0x1d3c8:$i6: IClientLoggingHost 0x1d3f5:$i7: IClientNetworkHost 0x1d408:$i8: IClientUIHost 0x1d112:$s1: ClientPlugin 0x1d3bb:$s1: ClientPlugin
5.2.QUOTATION.exe.6ee0000.37.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
5.2.QUOTATION.exe.6ee0000.37.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
5.2.QUOTATION.exe.6ee0000.37.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5fc9:$x2: NanoCore.ClientPlugin 0x5fee:$x3: NanoCore.ClientPluginHost 0x5fba:$i3: IClientNetwork 0x5fdf:$i4: IClientAppHost 0x6008:$i5: IClientDataHost 0x6018:$i6: IClientLoggingHost 0x602b:$i7: IClientNetworkHost 0x603e:$i8: IClientUIHost 0x604c:$i9: IClientNameObjectCollection 0x5d70:$s1: ClientPlugin 0x5fd2:$s1: ClientPlugin
5.2.QUOTATION.exe.3b38a28.13.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
5.2.QUOTATION.exe.3b38a28.13.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
5.2.QUOTATION.exe.3b38a28.13.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.QUOTATION.exe.3b38a28.13.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
5.2.QUOTATION.exe.3e1d82f.17.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0xe9c8:$x1: NanoCore.ClientPluginHost 0x1a76a:$x1: NanoCore.ClientPluginHost 0x3f66e:$x1: NanoCore.ClientPluginHost 0x4eaae:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost 0xe9e2:$x2: IClientNetworkHost 0x1a784:$x2: IClientNetworkHost 0x3f688:$x2: IClientNetworkHost 0x4eaeb:$x2: IClientNetworkHost
5.2.QUOTATION.exe.3e1d82f.17.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0xe9c8:$x2: NanoCore.ClientPluginHost 0x1a76a:$x2: NanoCore.ClientPluginHost 0x3f66e:$x2: NanoCore.ClientPluginHost 0x4eaae:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0xf9fd:$s4: PipeCreated 0x1c515:$s4: PipeCreated 0x429ab:$s4: PipeCreated 0x51f01:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost 0xe9b5:$s5: IClientLoggingHost 0x1a757:$s5: IClientLoggingHost 0x3f65b:$s5: IClientLoggingHost 0x4ead8:$s5: IClientLoggingHost
5.2.QUOTATION.exe.3e1d82f.17.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0xe99f:$x2: NanoCore.ClientPlugin 0x1a741:$x2: NanoCore.ClientPlugin 0x3f645:$x2: NanoCore.ClientPlugin 0x4ea89:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0xe9c8:$x3: NanoCore.ClientPluginHost 0x1a76a:$x3: NanoCore.ClientPluginHost 0x3f66e:$x3: NanoCore.ClientPluginHost 0x4eaae:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0xe990:$i3: IClientNetwork 0x1a732:$i3: IClientNetwork 0x3f636:$i3: IClientNetwork 0x4ea7a:$i3: IClientNetwork 0x4ea9f:$i4: IClientAppHost 0x3a43:$i5: IClientDataHost 0x4eac8:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0xe9b5:$i6: IClientLoggingHost 0x1a757:$i6: IClientLoggingHost
5.2.QUOTATION.exe.3e1d82f.17.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x36cb:$a: NanoCore 0x372c:$a: NanoCore 0x376f:$a: NanoCore 0x37af:$a: NanoCore 0x39eb:$a: NanoCore 0x3a8b:$a: NanoCore 0x4263:$a: NanoCore 0x4856:$a: NanoCore 0x49a7:$a: NanoCore 0x5801:$a: NanoCore 0x5a68:$a: NanoCore 0x5a7d:$a: NanoCore 0x5a9c:$a: NanoCore 0xe99f:$a: NanoCore 0xe9c8:$a: NanoCore 0x1a741:$a: NanoCore 0x1a76a:$a: NanoCore 0x3f62d:$a: NanoCore 0x3f645:$a: NanoCore 0x3f66e:$a: NanoCore 0x4ea71:$a: NanoCore
5.2.QUOTATION.exe.6b80000.27.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3f0b:$x1: NanoCore.ClientPluginHost 0x3f44:$x2: IClientNetworkHost
5.2.QUOTATION.exe.6b80000.27.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3f0b:$x2: NanoCore.ClientPluginHost 0x400f:$s4: PipeCreated 0x3f25:$s5: IClientLoggingHost
5.2.QUOTATION.exe.6b80000.27.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3f87:$x2: NanoCore.ClientPlugin 0x3f0b:$x3: NanoCore.ClientPluginHost 0x3f9d:$i3: IClientNetwork 0x3f25:$i6: IClientLoggingHost 0x3f44:$i7: IClientNetworkHost 0x3bfb:$s1: ClientPlugin 0x3f90:$s1: ClientPlugin 0x50f4:$s3: IPAddress
5.2.QUOTATION.exe.2b2384c.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
5.2.QUOTATION.exe.2b2384c.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
5.2.QUOTATION.exe.2b2384c.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork 0x8b95:$i5: IClientDataHost 0x8bbf:$i6: IClientLoggingHost 0x8bd2:$i7: IClientNetworkHost 0x8be5:$i9: IClientNameObjectCollection 0x8902:$s1: ClientPlugin 0x8b88:$s1: ClientPlugin
5.2.QUOTATION.exe.2b175b4.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14e3d:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e6a:$x2: IClientNetworkHost
5.2.QUOTATION.exe.2b175b4.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x14e3d:$x2: NanoCore.ClientPluginHost 0x15e0c:$s2: FileCommand 0x6a6b:$s4: PipeCreated 0x1a80e:$s4: PipeCreated 0x14e57:$s5: IClientLoggingHost
5.2.QUOTATION.exe.2b175b4.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x14e17:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x14e3d:$x3: NanoCore.ClientPluginHost 0x4b87:$i3: IClientNetwork 0x14e08:$i3: IClientNetwork 0x4bac:$i4: IClientAppHost 0x4bd5:$i5: IClientDataHost 0x14e2d:$i5: IClientDataHost 0x14e57:$i6: IClientLoggingHost 0x4be5:$i7: IClientNetworkHost 0x14e6a:$i7: IClientNetworkHost 0x4bf8:$i9: IClientNameObjectCollection 0x14e7d:$i9: IClientNameObjectCollection 0x4c1d:$i10: IClientReadOnlyNameObjectCollection 0x49ce:$s1: ClientPlugin 0x4b9f:$s1: ClientPlugin 0x14b9a:$s1: ClientPlugin 0x14e20:$s1: ClientPlugin
5.2.QUOTATION.exe.6bb0000.30.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
5.2.QUOTATION.exe.6bb0000.30.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
5.2.QUOTATION.exe.6bb0000.30.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5ad5:$x2: NanoCore.ClientPlugin 0x59eb:$x3: NanoCore.ClientPluginHost 0x5aeb:$i3: IClientNetwork 0x5a24:$i5: IClientDataHost 0x5a05:$i6: IClientLoggingHost 0x5b48:$i7: IClientNetworkHost 0x5a43:$i8: IClientUIHost 0x6955:$i9: IClientNameObjectCollection 0x54fc:$s1: ClientPlugin 0x5ade:$s1: ClientPlugin 0x6971:$s6: get_ClientSettings
5.2.QUOTATION.exe.3b2458d.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c48:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c75:$x2: IClientNetworkHost
5.2.QUOTATION.exe.3b2458d.12.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c48:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d23:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c62:$s5: IClientLoggingHost
5.2.QUOTATION.exe.3b2458d.12.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.QUOTATION.exe.3b2458d.12.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0x23c13:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0x23c48:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0x23c07:$i2: IClientData 0xb165:$i3: IClientNetwork 0x23c29:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0x23c38:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0x23c62:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0x23c75:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0x23c88:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0x23c96:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0x23cb2:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin
5.0.QUOTATION.exe.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.QUOTATION.exe.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.0.QUOTATION.exe.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.QUOTATION.exe.400000.6.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
5.0.QUOTATION.exe.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.QUOTATION.exe.6b40000.25.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
5.2.QUOTATION.exe.6b40000.25.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
5.2.QUOTATION.exe.6b40000.25.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
5.2.QUOTATION.exe.3b3d051.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
5.2.QUOTATION.exe.3b3d051.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
5.2.QUOTATION.exe.3b3d051.11.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.QUOTATION.exe.3b3d051.11.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
5.2.QUOTATION.exe.3ae81d4.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
5.2.QUOTATION.exe.3ae81d4.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
5.2.QUOTATION.exe.3ae81d4.8.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1090e:$x2: NanoCore.ClientPlugin 0x10937:$x3: NanoCore.ClientPluginHost 0x108ff:$i3: IClientNetwork 0x10924:$i6: IClientLoggingHost 0x10951:$i7: IClientNetworkHost 0x10964:$i8: IClientUIHost 0x1066e:$s1: ClientPlugin 0x10917:$s1: ClientPlugin
5.2.QUOTATION.exe.3d58a06.14.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0xcd3b:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost 0xcd55:$x2: IClientNetworkHost
5.2.QUOTATION.exe.3d58a06.14.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0xcd3b:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost 0xcd28:$s5: IClientLoggingHost
5.2.QUOTATION.exe.3d58a06.14.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3d70:$x2: NanoCore.ClientPlugin 0xcd12:$x2: NanoCore.ClientPlugin 0x3d99:$x3: NanoCore.ClientPluginHost 0xcd3b:$x3: NanoCore.ClientPluginHost 0x3d61:$i3: IClientNetwork 0xcd03:$i3: IClientNetwork 0x3d86:$i6: IClientLoggingHost 0xcd28:$i6: IClientLoggingHost 0x3db3:$i7: IClientNetworkHost 0xcd55:$i7: IClientNetworkHost 0x3bd4:$s1: ClientPlugin 0x3d79:$s1: ClientPlugin 0xcb7e:$s1: ClientPlugin 0xcd1b:$s1: ClientPlugin 0x4084:$s2: EndPoint 0x408d:$s3: IPAddress 0x4097:$s4: IPEndPoint
5.2.QUOTATION.exe.2b2384c.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
5.2.QUOTATION.exe.2b2384c.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
5.2.QUOTATION.exe.2b2384c.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
5.2.QUOTATION.exe.6b90000.28.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
5.2.QUOTATION.exe.6b90000.28.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x605:$x2: NanoCore.ClientPluginHost 0x720:$s4: PipeCreated 0x61f:$s5: IClientLoggingHost
5.2.QUOTATION.exe.6b90000.28.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x67f:$x2: NanoCore.ClientPlugin 0x605:$x3: NanoCore.ClientPluginHost 0x695:$i3: IClientNetwork 0x61f:$i6: IClientLoggingHost 0x63e:$i7: IClientNetworkHost 0x688:$s1: ClientPlugin
5.2.QUOTATION.exe.3b38a28.13.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
5.2.QUOTATION.exe.3b38a28.13.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
5.2.QUOTATION.exe.3b38a28.13.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.QUOTATION.exe.3b38a28.13.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
5.0.QUOTATION.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.QUOTATION.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.0.QUOTATION.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.QUOTATION.exe.400000.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
5.0.QUOTATION.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.QUOTATION.exe.6b40000.25.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
5.2.QUOTATION.exe.6b40000.25.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
5.2.QUOTATION.exe.6b40000.25.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork 0x8b95:$i5: IClientDataHost 0x8bbf:$i6: IClientLoggingHost 0x8bd2:$i7: IClientNetworkHost 0x8be5:$i9: IClientNameObjectCollection 0x8902:$s1: ClientPlugin 0x8b88:$s1: ClientPlugin
5.2.QUOTATION.exe.5c60000.22.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
5.2.QUOTATION.exe.5c60000.22.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
5.2.QUOTATION.exe.5c60000.22.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.QUOTATION.exe.5c60000.22.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
5.2.QUOTATION.exe.6ea0000.36.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
5.2.QUOTATION.exe.6ea0000.36.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
5.2.QUOTATION.exe.6ea0000.36.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
5.2.QUOTATION.exe.6eae8a4.34.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
5.2.QUOTATION.exe.6eae8a4.34.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
5.2.QUOTATION.exe.6eae8a4.34.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1090e:$x2: NanoCore.ClientPlugin 0x10937:$x3: NanoCore.ClientPluginHost 0x108ff:$i3: IClientNetwork 0x10924:$i6: IClientLoggingHost 0x10951:$i7: IClientNetworkHost 0x10964:$i8: IClientUIHost 0x1066e:$s1: ClientPlugin 0x10917:$s1: ClientPlugin
5.2.QUOTATION.exe.5ed0000.24.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
5.2.QUOTATION.exe.5ed0000.24.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
5.2.QUOTATION.exe.5ed0000.24.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
5.2.QUOTATION.exe.6d00000.31.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
5.2.QUOTATION.exe.6d00000.31.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
5.2.QUOTATION.exe.6d00000.31.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1e8b:$x2: NanoCore.ClientPlugin 0x1deb:$x3: NanoCore.ClientPluginHost 0x1ea1:$i3: IClientNetwork 0x1e43:$i5: IClientDataHost 0x1e05:$i6: IClientLoggingHost 0x1e24:$i7: IClientNetworkHost 0x266c:$i9: IClientNameObjectCollection 0x1b41:$s1: ClientPlugin 0x1e94:$s1: ClientPlugin 0x2a80:$s2: EndPoint 0x2771:$s3: IPAddress 0x2083:$s4: IPEndPoint 0x27a3:$s7: get_Connected
5.2.QUOTATION.exe.2b175b4.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
5.2.QUOTATION.exe.2b175b4.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
5.2.QUOTATION.exe.2b175b4.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
5.2.QUOTATION.exe.6d20000.32.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
5.2.QUOTATION.exe.6d20000.32.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
5.2.QUOTATION.exe.6ea4c9f.35.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
5.2.QUOTATION.exe.6ea4c9f.35.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
5.2.QUOTATION.exe.6ea4c9f.35.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1a513:$x2: NanoCore.ClientPlugin 0x1a53c:$x3: NanoCore.ClientPluginHost 0x1a504:$i3: IClientNetwork 0x1a529:$i6: IClientLoggingHost 0x1a556:$i7: IClientNetworkHost 0x1a569:$i8: IClientUIHost 0x1a273:$s1: ClientPlugin 0x1a51c:$s1: ClientPlugin
5.2.QUOTATION.exe.6d20000.32.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x5b86:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x59d4:$s1: ClientPlugin 0x5b79:$s1: ClientPlugin 0x5e84:$s2: EndPoint 0x5e8d:$s3: IPAddress 0x5e97:$s4: IPEndPoint
5.2.QUOTATION.exe.3e1d82f.17.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
5.2.QUOTATION.exe.3e1d82f.17.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
5.2.QUOTATION.exe.3e1d82f.17.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1e8b:$x2: NanoCore.ClientPlugin 0x1deb:$x3: NanoCore.ClientPluginHost 0x1ea1:$i3: IClientNetwork 0x1e43:$i5: IClientDataHost 0x1e05:$i6: IClientLoggingHost 0x1e24:$i7: IClientNetworkHost 0x266c:$i9: IClientNameObjectCollection 0x1b41:$s1: ClientPlugin 0x1e94:$s1: ClientPlugin 0x2a80:$s2: EndPoint 0x2771:$s3: IPAddress 0x2083:$s4: IPEndPoint 0x27a3:$s7: get_Connected
5.2.QUOTATION.exe.6ee0000.37.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
5.2.QUOTATION.exe.6ee0000.37.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x41ee:$x2: NanoCore.ClientPluginHost 0x7641:$s4: PipeCreated 0x4218:$s5: IClientLoggingHost
5.2.QUOTATION.exe.6ee0000.37.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x41c9:$x2: NanoCore.ClientPlugin 0x41ee:$x3: NanoCore.ClientPluginHost 0x41ba:$i3: IClientNetwork 0x41df:$i4: IClientAppHost 0x4208:$i5: IClientDataHost 0x4218:$i6: IClientLoggingHost 0x422b:$i7: IClientNetworkHost 0x423e:$i8: IClientUIHost 0x424c:$i9: IClientNameObjectCollection 0x3f70:$s1: ClientPlugin 0x41d2:$s1: ClientPlugin
5.2.QUOTATION.exe.3e34a8e.18.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
5.2.QUOTATION.exe.3e34a8e.18.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
5.2.QUOTATION.exe.3e34a8e.18.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x16e2:$x2: NanoCore.ClientPlugin 0x170b:$x3: NanoCore.ClientPluginHost 0x16d3:$i3: IClientNetwork 0x16f8:$i6: IClientLoggingHost 0x1725:$i7: IClientNetworkHost 0x154e:$s1: ClientPlugin 0x16eb:$s1: ClientPlugin
5.2.QUOTATION.exe.3e34a8e.18.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x2840f:$x1: NanoCore.ClientPluginHost 0x3784f:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost 0x28429:$x2: IClientNetworkHost 0x3788c:$x2: IClientNetworkHost
5.2.QUOTATION.exe.3e34a8e.18.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x2840f:$x2: NanoCore.ClientPluginHost 0x3784f:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x2b74c:$s4: PipeCreated 0x3aca2:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost 0x283fc:$s5: IClientLoggingHost 0x37879:$s5: IClientLoggingHost
5.2.QUOTATION.exe.3e34a8e.18.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x283e6:$x2: NanoCore.ClientPlugin 0x3782a:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x2840f:$x3: NanoCore.ClientPluginHost 0x3784f:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x283d7:$i3: IClientNetwork 0x3781b:$i3: IClientNetwork 0x37840:$i4: IClientAppHost 0x37869:$i5: IClientDataHost 0x34f8:$i6: IClientLoggingHost 0x283fc:$i6: IClientLoggingHost 0x37879:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x28429:$i7: IClientNetworkHost 0x3788c:$i7: IClientNetworkHost 0x2843c:$i8: IClientUIHost 0x3789f:$i8: IClientUIHost 0x378ad:$i9: IClientNameObjectCollection 0x334e:$s1: ClientPlugin
5.0.QUOTATION.exe.400000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.QUOTATION.exe.400000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.0.QUOTATION.exe.400000.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.QUOTATION.exe.400000.10.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
5.0.QUOTATION.exe.400000.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.QUOTATION.exe.5c60000.22.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
5.2.QUOTATION.exe.5c60000.22.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
5.2.QUOTATION.exe.5c60000.22.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.QUOTATION.exe.5c60000.22.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
5.2.QUOTATION.exe.6d00000.31.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
5.2.QUOTATION.exe.6d00000.31.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
5.2.QUOTATION.exe.6d00000.31.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0x3a43:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0x3a24:$i7: IClientNetworkHost 0x426c:$i9: IClientNameObjectCollection 0x3741:$s1: ClientPlugin 0x3a94:$s1: ClientPlugin 0x4680:$s2: EndPoint 0x4371:$s3: IPAddress 0x3c83:$s4: IPEndPoint 0x43a3:$s7: get_Connected
5.0.QUOTATION.exe.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.QUOTATION.exe.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.0.QUOTATION.exe.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.QUOTATION.exe.400000.8.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
5.0.QUOTATION.exe.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.QUOTATION.exe.2b78f78.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0xb543:$x1: NanoCore.ClientPluginHost 0x13479:$x1: NanoCore.ClientPluginHost 0x1945c:$x1: NanoCore.ClientPluginHost 0x22ed7:$x1: NanoCore.ClientPluginHost 0x2d313:$x1: NanoCore.ClientPluginHost 0x38305:$x1: NanoCore.ClientPluginHost 0x440bb:$x1: NanoCore.ClientPluginHost 0x4fe12:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost 0xb57c:$x2: IClientNetworkHost 0x134b2:$x2: IClientNetworkHost 0x23034:$x2: IClientNetworkHost 0x2d34c:$x2: IClientNetworkHost 0x3831f:$x2: IClientNetworkHost 0x440d5:$x2: IClientNetworkHost 0x4fe4f:$x2: IClientNetworkHost
5.2.QUOTATION.exe.2b78f78.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0xb5bf:$x2: NanoCore.ClientPlugin 0x134f3:$x2: NanoCore.ClientPlugin 0x194a6:$x2: NanoCore.ClientPlugin 0x22fc1:$x2: NanoCore.ClientPlugin 0x2d3b3:$x2: NanoCore.ClientPlugin 0x382dc:$x2: NanoCore.ClientPlugin 0x44092:$x2: NanoCore.ClientPlugin 0x4fded:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0xb543:$x3: NanoCore.ClientPluginHost 0x13479:$x3: NanoCore.ClientPluginHost 0x1945c:$x3: NanoCore.ClientPluginHost 0x22ed7:$x3: NanoCore.ClientPluginHost 0x2d313:$x3: NanoCore.ClientPluginHost 0x38305:$x3: NanoCore.ClientPluginHost 0x440bb:$x3: NanoCore.ClientPluginHost 0x4fe12:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0xb5d5:$i3: IClientNetwork 0x13509:$i3: IClientNetwork
5.2.QUOTATION.exe.2b78f78.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb543:$a: NanoCore 0xb5bf:$a: NanoCore 0xdea2:$a: NanoCore 0x13479:$a: NanoCore 0x134f3:$a: NanoCore 0x1945c:$a: NanoCore 0x194a6:$a: NanoCore 0x1a100:$a: NanoCore 0x22ed7:$a: NanoCore 0x22fc1:$a: NanoCore 0x23e38:$a: NanoCore
5.2.QUOTATION.exe.6b90000.28.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
5.2.QUOTATION.exe.6b90000.28.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
5.2.QUOTATION.exe.6b90000.28.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x227f:$x2: NanoCore.ClientPlugin 0x2205:$x3: NanoCore.ClientPluginHost 0x2295:$i3: IClientNetwork 0x221f:$i6: IClientLoggingHost 0x223e:$i7: IClientNetworkHost 0x1f9f:$s1: ClientPlugin 0x2288:$s1: ClientPlugin
5.2.QUOTATION.exe.6b70000.26.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
5.2.QUOTATION.exe.6b70000.26.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
5.2.QUOTATION.exe.6b70000.26.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0x16fd:$i6: IClientLoggingHost 0x171c:$i7: IClientNetworkHost 0x1491:$s1: ClientPlugin 0x1768:$s1: ClientPlugin
5.2.QUOTATION.exe.6ba0000.29.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
5.2.QUOTATION.exe.6ba0000.29.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
5.2.QUOTATION.exe.6ba0000.29.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x13f2:$x2: NanoCore.ClientPlugin 0x13a8:$x3: NanoCore.ClientPluginHost 0x1408:$i3: IClientNetwork 0x13c2:$i6: IClientLoggingHost 0x1185:$s1: ClientPlugin 0x13fb:$s1: ClientPlugin
5.2.QUOTATION.exe.3d58a06.14.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x1193b:$x1: NanoCore.ClientPluginHost 0x3683f:$x1: NanoCore.ClientPluginHost 0x45c7f:$x1: NanoCore.ClientPluginHost 0x52ed4:$x1: NanoCore.ClientPluginHost 0x5deb1:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost 0x11955:$x2: IClientNetworkHost 0x36859:$x2: IClientNetworkHost 0x45cbc:$x2: IClientNetworkHost 0x52f0d:$x2: IClientNetworkHost 0x5decb:$x2: IClientNetworkHost
5.2.QUOTATION.exe.3d58a06.14.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x1193b:$x2: NanoCore.ClientPluginHost 0x3683f:$x2: NanoCore.ClientPluginHost 0x45c7f:$x2: NanoCore.ClientPluginHost 0x52ed4:$x2: NanoCore.ClientPluginHost 0x5deb1:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x136e6:$s4: PipeCreated 0x39b7c:$s4: PipeCreated 0x490d2:$s4: PipeCreated 0x5301f:$s4: PipeCreated 0x5eee6:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost 0x11928:$s5: IClientLoggingHost 0x3682c:$s5: IClientLoggingHost 0x45ca9:$s5: IClientLoggingHost 0x52eee:$s5: IClientLoggingHost 0x5de9e:$s5: IClientLoggingHost
5.2.QUOTATION.exe.3d58a06.14.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x11912:$x2: NanoCore.ClientPlugin 0x36816:$x2: NanoCore.ClientPlugin 0x45c5a:$x2: NanoCore.ClientPlugin 0x52f74:$x2: NanoCore.ClientPlugin 0x5de88:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x1193b:$x3: NanoCore.ClientPluginHost 0x3683f:$x3: NanoCore.ClientPluginHost 0x45c7f:$x3: NanoCore.ClientPluginHost 0x52ed4:$x3: NanoCore.ClientPluginHost 0x5deb1:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x11903:$i3: IClientNetwork 0x36807:$i3: IClientNetwork 0x45c4b:$i3: IClientNetwork 0x52f8a:$i3: IClientNetwork 0x5de79:$i3: IClientNetwork 0x45c70:$i4: IClientAppHost 0x45c99:$i5: IClientDataHost 0x52f2c:$i5: IClientDataHost
5.2.QUOTATION.exe.3d58a06.14.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5b70:$a: NanoCore 0x5b99:$a: NanoCore 0x11912:$a: NanoCore 0x1193b:$a: NanoCore 0x367fe:$a: NanoCore 0x36816:$a: NanoCore 0x3683f:$a: NanoCore 0x45c42:$a: NanoCore 0x45c5a:$a: NanoCore 0x45c7f:$a: NanoCore 0x52bb4:$a: NanoCore 0x52c15:$a: NanoCore 0x52c58:$a: NanoCore 0x52c98:$a: NanoCore 0x52ed4:$a: NanoCore 0x52f74:$a: NanoCore 0x5374c:$a: NanoCore 0x53d3f:$a: NanoCore 0x53e90:$a: NanoCore 0x54cea:$a: NanoCore 0x54f51:$a: NanoCore
5.2.QUOTATION.exe.2b8a1ec.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x3be8:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
5.2.QUOTATION.exe.2b8a1ec.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x605:$x2: NanoCore.ClientPluginHost 0x3be8:$x2: NanoCore.ClientPluginHost 0x720:$s4: PipeCreated 0x3cc6:$s4: PipeCreated 0x61f:$s5: IClientLoggingHost 0x3c02:$s5: IClientLoggingHost
5.2.QUOTATION.exe.2b8a1ec.7.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x67f:$x2: NanoCore.ClientPlugin 0x3c32:$x2: NanoCore.ClientPlugin 0x605:$x3: NanoCore.ClientPluginHost 0x3be8:$x3: NanoCore.ClientPluginHost 0x695:$i3: IClientNetwork 0x3c48:$i3: IClientNetwork 0x61f:$i6: IClientLoggingHost 0x3c02:$i6: IClientLoggingHost 0x63e:$i7: IClientNetworkHost 0x688:$s1: ClientPlugin 0x3c3b:$s1: ClientPlugin
5.2.QUOTATION.exe.2b7e9b0.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3f0b:$x1: NanoCore.ClientPluginHost 0xa041:$x1: NanoCore.ClientPluginHost 0x3f44:$x2: IClientNetworkHost 0xa07a:$x2: IClientNetworkHost
5.2.QUOTATION.exe.2b7e9b0.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3f0b:$x2: NanoCore.ClientPluginHost 0xa041:$x2: NanoCore.ClientPluginHost 0x400f:$s4: PipeCreated 0xa15c:$s4: PipeCreated 0x3f25:$s5: IClientLoggingHost 0xa05b:$s5: IClientLoggingHost
5.2.QUOTATION.exe.2b7e9b0.5.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3f87:$x2: NanoCore.ClientPlugin 0xa0bb:$x2: NanoCore.ClientPlugin 0x3f0b:$x3: NanoCore.ClientPluginHost 0xa041:$x3: NanoCore.ClientPluginHost 0x3f9d:$i3: IClientNetwork 0xa0d1:$i3: IClientNetwork 0x3f25:$i6: IClientLoggingHost 0xa05b:$i6: IClientLoggingHost 0x3f44:$i7: IClientNetworkHost 0xa07a:$i7: IClientNetworkHost 0x3bfb:$s1: ClientPlugin 0x3f90:$s1: ClientPlugin 0x9ddb:$s1: ClientPlugin 0xa0c4:$s1: ClientPlugin 0x50f4:$s3: IPAddress
5.2.QUOTATION.exe.6ea0000.36.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
5.2.QUOTATION.exe.6ea0000.36.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
5.2.QUOTATION.exe.6ea0000.36.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1d3b2:$x2: NanoCore.ClientPlugin 0x1d3db:$x3: NanoCore.ClientPluginHost 0x1d3a3:$i3: IClientNetwork 0x1d3c8:$i6: IClientLoggingHost 0x1d3f5:$i7: IClientNetworkHost 0x1d408:$i8: IClientUIHost 0x1d112:$s1: ClientPlugin 0x1d3bb:$s1: ClientPlugin
5.2.QUOTATION.exe.5bc0000.20.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
5.2.QUOTATION.exe.5bc0000.20.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
5.2.QUOTATION.exe.5bc0000.20.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
1.2.QUOTATION.exe.36095b8.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.QUOTATION.exe.36095b8.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.2.QUOTATION.exe.36095b8.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.QUOTATION.exe.36095b8.6.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
1.2.QUOTATION.exe.36095b8.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.2.QUOTATION.exe.6d20000.32.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost
5.2.QUOTATION.exe.6d20000.32.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost
5.2.QUOTATION.exe.6d20000.32.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3d70:$x2: NanoCore.ClientPlugin 0x3d99:$x3: NanoCore.ClientPluginHost 0x3d61:$i3: IClientNetwork 0x3d86:$i6: IClientLoggingHost 0x3db3:$i7: IClientNetworkHost 0x3bd4:$s1: ClientPlugin 0x3d79:$s1: ClientPlugin 0x4084:$s2: EndPoint 0x408d:$s3: IPAddress 0x4097:$s4: IPEndPoint
5.2.QUOTATION.exe.3ad9930.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
5.2.QUOTATION.exe.3ad9930.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
5.2.QUOTATION.exe.3ad9930.9.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
5.2.QUOTATION.exe.2b7e9b0.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0xda41:$x1: NanoCore.ClientPluginHost 0x13a24:$x1: NanoCore.ClientPluginHost 0x1d49f:$x1: NanoCore.ClientPluginHost 0x278db:$x1: NanoCore.ClientPluginHost 0x328cd:$x1: NanoCore.ClientPluginHost 0x3e683:$x1: NanoCore.ClientPluginHost 0x4a3da:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost 0xda7a:$x2: IClientNetworkHost 0x1d5fc:$x2: IClientNetworkHost 0x27914:$x2: IClientNetworkHost 0x328e7:$x2: IClientNetworkHost 0x3e69d:$x2: IClientNetworkHost 0x4a417:$x2: IClientNetworkHost
5.2.QUOTATION.exe.2b7e9b0.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b87:$x2: NanoCore.ClientPlugin 0xdabb:$x2: NanoCore.ClientPlugin 0x13a6e:$x2: NanoCore.ClientPlugin 0x1d589:$x2: NanoCore.ClientPlugin 0x2797b:$x2: NanoCore.ClientPlugin 0x328a4:$x2: NanoCore.ClientPlugin 0x3e65a:$x2: NanoCore.ClientPlugin 0x4a3b5:$x2: NanoCore.ClientPlugin 0x5b0b:$x3: NanoCore.ClientPluginHost 0xda41:$x3: NanoCore.ClientPluginHost 0x13a24:$x3: NanoCore.ClientPluginHost 0x1d49f:$x3: NanoCore.ClientPluginHost 0x278db:$x3: NanoCore.ClientPluginHost 0x328cd:$x3: NanoCore.ClientPluginHost 0x3e683:$x3: NanoCore.ClientPluginHost 0x4a3da:$x3: NanoCore.ClientPluginHost 0x5b9d:$i3: IClientNetwork 0xdad1:$i3: IClientNetwork 0x13a84:$i3: IClientNetwork 0x1d59f:$i3: IClientNetwork 0x27991:$i3: IClientNetwork
5.2.QUOTATION.exe.2b7e9b0.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5b0b:$a: NanoCore 0x5b87:$a: NanoCore 0x846a:$a: NanoCore 0xda41:$a: NanoCore 0xdabb:$a: NanoCore 0x13a24:$a: NanoCore 0x13a6e:$a: NanoCore 0x146c8:$a: NanoCore 0x1d49f:$a: NanoCore 0x1d589:$a: NanoCore 0x1e400:$a: NanoCore 0x275bb:$a: NanoCore 0x2761c:$a: NanoCore 0x2765f:$a: NanoCore 0x2769f:$a: NanoCore 0x278db:$a: NanoCore 0x2797b:$a: NanoCore 0x28153:$a: NanoCore 0x28746:$a: NanoCore 0x28897:$a: NanoCore 0x296f1:$a: NanoCore
5.2.QUOTATION.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.QUOTATION.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.2.QUOTATION.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.QUOTATION.exe.400000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
5.2.QUOTATION.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.QUOTATION.exe.3d4fbd7.15.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0xe9c8:$x1: NanoCore.ClientPluginHost 0x1a76a:$x1: NanoCore.ClientPluginHost 0x3f66e:$x1: NanoCore.ClientPluginHost 0x4eaae:$x1: NanoCore.ClientPluginHost 0x5bd03:$x1: NanoCore.ClientPluginHost 0x66ce0:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost 0xe9e2:$x2: IClientNetworkHost 0x1a784:$x2: IClientNetworkHost 0x3f688:$x2: IClientNetworkHost 0x4eaeb:$x2: IClientNetworkHost 0x5bd3c:$x2: IClientNetworkHost 0x66cfa:$x2: IClientNetworkHost
5.2.QUOTATION.exe.3d4fbd7.15.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0xe9c8:$x2: NanoCore.ClientPluginHost 0x1a76a:$x2: NanoCore.ClientPluginHost 0x3f66e:$x2: NanoCore.ClientPluginHost 0x4eaae:$x2: NanoCore.ClientPluginHost 0x5bd03:$x2: NanoCore.ClientPluginHost 0x66ce0:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0xf9fd:$s4: PipeCreated 0x1c515:$s4: PipeCreated 0x429ab:$s4: PipeCreated 0x51f01:$s4: PipeCreated 0x5be4e:$s4: PipeCreated 0x67d15:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost 0xe9b5:$s5: IClientLoggingHost 0x1a757:$s5: IClientLoggingHost 0x3f65b:$s5: IClientLoggingHost 0x4ead8:$s5: IClientLoggingHost 0x5bd1d:$s5: IClientLoggingHost 0x66ccd:$s5: IClientLoggingHost
5.2.QUOTATION.exe.3d4fbd7.15.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0xe99f:$x2: NanoCore.ClientPlugin 0x1a741:$x2: NanoCore.ClientPlugin 0x3f645:$x2: NanoCore.ClientPlugin 0x4ea89:$x2: NanoCore.ClientPlugin 0x5bda3:$x2: NanoCore.ClientPlugin 0x66cb7:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0xe9c8:$x3: NanoCore.ClientPluginHost 0x1a76a:$x3: NanoCore.ClientPluginHost 0x3f66e:$x3: NanoCore.ClientPluginHost 0x4eaae:$x3: NanoCore.ClientPluginHost 0x5bd03:$x3: NanoCore.ClientPluginHost 0x66ce0:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0xe990:$i3: IClientNetwork 0x1a732:$i3: IClientNetwork 0x3f636:$i3: IClientNetwork 0x4ea7a:$i3: IClientNetwork 0x5bdb9:$i3: IClientNetwork 0x66ca8:$i3: IClientNetwork
5.2.QUOTATION.exe.3d4fbd7.15.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x36cb:$a: NanoCore 0x372c:$a: NanoCore 0x376f:$a: NanoCore 0x37af:$a: NanoCore 0x39eb:$a: NanoCore 0x3a8b:$a: NanoCore 0x4263:$a: NanoCore 0x4856:$a: NanoCore 0x49a7:$a: NanoCore 0x5801:$a: NanoCore 0x5a68:$a: NanoCore 0x5a7d:$a: NanoCore 0x5a9c:$a: NanoCore 0xe99f:$a: NanoCore 0xe9c8:$a: NanoCore 0x1a741:$a: NanoCore 0x1a76a:$a: NanoCore 0x3f62d:$a: NanoCore 0x3f645:$a: NanoCore 0x3f66e:$a: NanoCore 0x4ea71:$a: NanoCore
5.0.QUOTATION.exe.400000.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.QUOTATION.exe.400000.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.0.QUOTATION.exe.400000.12.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.QUOTATION.exe.400000.12.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
5.0.QUOTATION.exe.400000.12.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.QUOTATION.exe.3e2665e.19.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x1193b:$x1: NanoCore.ClientPluginHost 0x3683f:$x1: NanoCore.ClientPluginHost 0x45c7f:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost 0x11955:$x2: IClientNetworkHost 0x36859:$x2: IClientNetworkHost 0x45cbc:$x2: IClientNetworkHost
5.2.QUOTATION.exe.3e2665e.19.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x1193b:$x2: NanoCore.ClientPluginHost 0x3683f:$x2: NanoCore.ClientPluginHost 0x45c7f:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x136e6:$s4: PipeCreated 0x39b7c:$s4: PipeCreated 0x490d2:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost 0x11928:$s5: IClientLoggingHost 0x3682c:$s5: IClientLoggingHost 0x45ca9:$s5: IClientLoggingHost
5.2.QUOTATION.exe.3e2665e.19.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x11912:$x2: NanoCore.ClientPlugin 0x36816:$x2: NanoCore.ClientPlugin 0x45c5a:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x1193b:$x3: NanoCore.ClientPluginHost 0x3683f:$x3: NanoCore.ClientPluginHost 0x45c7f:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x11903:$i3: IClientNetwork 0x36807:$i3: IClientNetwork 0x45c4b:$i3: IClientNetwork 0x45c70:$i4: IClientAppHost 0x45c99:$i5: IClientDataHost 0x5b86:$i6: IClientLoggingHost 0x11928:$i6: IClientLoggingHost 0x3682c:$i6: IClientLoggingHost 0x45ca9:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x11955:$i7: IClientNetworkHost 0x36859:$i7: IClientNetworkHost
5.2.QUOTATION.exe.3d66e36.16.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
5.2.QUOTATION.exe.3d66e36.16.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
5.2.QUOTATION.exe.3d66e36.16.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x16e2:$x2: NanoCore.ClientPlugin 0x170b:$x3: NanoCore.ClientPluginHost 0x16d3:$i3: IClientNetwork 0x16f8:$i6: IClientLoggingHost 0x1725:$i7: IClientNetworkHost 0x154e:$s1: ClientPlugin 0x16eb:$s1: ClientPlugin
1.2.QUOTATION.exe.36095b8.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x429ad:$x1: NanoCore.ClientPluginHost 0x20fc75:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x429ea:$x2: IClientNetworkHost 0x20fcb2:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4651d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2137e5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.QUOTATION.exe.36095b8.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.QUOTATION.exe.36095b8.6.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x1bb0bb:$s1: file:/// 0x1bafcb:$s2: {11111-22222-10009-11112} 0x1bb04b:$s3: {11111-22222-50001-00000} 0x1b8a11:$s4: get_Module 0x1b8e80:$s5: Reverse 0x1af6f:$s6: BlockCopy 0x4d78f:$s6: BlockCopy 0x1bab9e:$s6: BlockCopy 0x21aa57:$s6: BlockCopy 0x1af66:$s7: ReadByte 0x4d786:$s7: ReadByte 0x21aa4e:$s7: ReadByte 0x1bb0cd:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
1.2.QUOTATION.exe.36095b8.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42715:$x1: NanoCore Client 0x42725:$x1: NanoCore Client 0x20f9dd:$x1: NanoCore Client 0x20f9ed:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x4296d:$x2: NanoCore.ClientPlugin 0x20fc35:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x429ad:$x3: NanoCore.ClientPluginHost 0x20fc75:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42962:$i1: IClientApp 0x20fc2a:$i1: IClientApp 0x10163:$i2: IClientData 0x42983:$i2: IClientData 0x20fc4b:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x4298f:$i3: IClientNetwork 0x20fc57:$i3: IClientNetwork
1.2.QUOTATION.exe.36095b8.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42715:$a: NanoCore 0x42725:$a: NanoCore 0x42959:$a: NanoCore 0x4296d:$a: NanoCore 0x429ad:$a: NanoCore 0x20f9dd:$a: NanoCore 0x20f9ed:$a: NanoCore 0x20fc21:$a: NanoCore 0x20fc35:$a: NanoCore 0x20fc75:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42774:$b: ClientPlugin 0x42976:$b: ClientPlugin 0x429b6:$b: ClientPlugin
5.2.QUOTATION.exe.3e2665e.19.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0xcd3b:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost 0xcd55:$x2: IClientNetworkHost
5.2.QUOTATION.exe.3e2665e.19.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0xcd3b:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost 0xcd28:$s5: IClientLoggingHost
5.2.QUOTATION.exe.3e2665e.19.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3d70:$x2: NanoCore.ClientPlugin 0xcd12:$x2: NanoCore.ClientPlugin 0x3d99:$x3: NanoCore.ClientPluginHost 0xcd3b:$x3: NanoCore.ClientPluginHost 0x3d61:$i3: IClientNetwork 0xcd03:$i3: IClientNetwork 0x3d86:$i6: IClientLoggingHost 0xcd28:$i6: IClientLoggingHost 0x3db3:$i7: IClientNetworkHost 0xcd55:$i7: IClientNetworkHost 0x3bd4:$s1: ClientPlugin 0x3d79:$s1: ClientPlugin 0xcb7e:$s1: ClientPlugin 0xcd1b:$s1: ClientPlugin 0x4084:$s2: EndPoint 0x408d:$s3: IPAddress 0x4097:$s4: IPEndPoint
5.2.QUOTATION.exe.3d66e36.16.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x2840f:$x1: NanoCore.ClientPluginHost 0x3784f:$x1: NanoCore.ClientPluginHost 0x44aa4:$x1: NanoCore.ClientPluginHost 0x4fa81:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost 0x28429:$x2: IClientNetworkHost 0x3788c:$x2: IClientNetworkHost 0x44add:$x2: IClientNetworkHost 0x4fa9b:$x2: IClientNetworkHost
5.2.QUOTATION.exe.3d66e36.16.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x2840f:$x2: NanoCore.ClientPluginHost 0x3784f:$x2: NanoCore.ClientPluginHost 0x44aa4:$x2: NanoCore.ClientPluginHost 0x4fa81:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x2b74c:$s4: PipeCreated 0x3aca2:$s4: PipeCreated 0x44bef:$s4: PipeCreated 0x50ab6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost 0x283fc:$s5: IClientLoggingHost 0x37879:$s5: IClientLoggingHost 0x44abe:$s5: IClientLoggingHost 0x4fa6e:$s5: IClientLoggingHost
5.2.QUOTATION.exe.3d66e36.16.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x283e6:$x2: NanoCore.ClientPlugin 0x3782a:$x2: NanoCore.ClientPlugin 0x44b44:$x2: NanoCore.ClientPlugin 0x4fa58:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x2840f:$x3: NanoCore.ClientPluginHost 0x3784f:$x3: NanoCore.ClientPluginHost 0x44aa4:$x3: NanoCore.ClientPluginHost 0x4fa81:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x283d7:$i3: IClientNetwork 0x3781b:$i3: IClientNetwork 0x44b5a:$i3: IClientNetwork 0x4fa49:$i3: IClientNetwork 0x37840:$i4: IClientAppHost 0x37869:$i5: IClientDataHost 0x44afc:$i5: IClientDataHost 0x34f8:$i6: IClientLoggingHost 0x283fc:$i6: IClientLoggingHost 0x37879:$i6: IClientLoggingHost
5.2.QUOTATION.exe.3d66e36.16.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x34e2:$a: NanoCore 0x350b:$a: NanoCore 0x283ce:$a: NanoCore 0x283e6:$a: NanoCore 0x2840f:$a: NanoCore 0x37812:$a: NanoCore 0x3782a:$a: NanoCore 0x3784f:$a: NanoCore 0x44784:$a: NanoCore 0x447e5:$a: NanoCore 0x44828:$a: NanoCore 0x44868:$a: NanoCore 0x44aa4:$a: NanoCore 0x44b44:$a: NanoCore 0x4531c:$a: NanoCore 0x4590f:$a: NanoCore 0x45a60:$a: NanoCore 0x468ba:$a: NanoCore 0x46b21:$a: NanoCore 0x46b36:$a: NanoCore 0x46b55:$a: NanoCore
5.2.QUOTATION.exe.2b8a1ec.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x81e8:$x1: NanoCore.ClientPluginHost 0x11c63:$x1: NanoCore.ClientPluginHost 0x1c09f:$x1: NanoCore.ClientPluginHost 0x27091:$x1: NanoCore.ClientPluginHost 0x32e47:$x1: NanoCore.ClientPluginHost 0x3eb9e:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost 0x11dc0:$x2: IClientNetworkHost 0x1c0d8:$x2: IClientNetworkHost 0x270ab:$x2: IClientNetworkHost 0x32e61:$x2: IClientNetworkHost 0x3ebdb:$x2: IClientNetworkHost
5.2.QUOTATION.exe.2b8a1ec.7.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x227f:$x2: NanoCore.ClientPlugin 0x8232:$x2: NanoCore.ClientPlugin 0x11d4d:$x2: NanoCore.ClientPlugin 0x1c13f:$x2: NanoCore.ClientPlugin 0x27068:$x2: NanoCore.ClientPlugin 0x32e1e:$x2: NanoCore.ClientPlugin 0x3eb79:$x2: NanoCore.ClientPlugin 0x2205:$x3: NanoCore.ClientPluginHost 0x81e8:$x3: NanoCore.ClientPluginHost 0x11c63:$x3: NanoCore.ClientPluginHost 0x1c09f:$x3: NanoCore.ClientPluginHost 0x27091:$x3: NanoCore.ClientPluginHost 0x32e47:$x3: NanoCore.ClientPluginHost 0x3eb9e:$x3: NanoCore.ClientPluginHost 0x2295:$i3: IClientNetwork 0x8248:$i3: IClientNetwork 0x11d63:$i3: IClientNetwork 0x1c155:$i3: IClientNetwork 0x27059:$i3: IClientNetwork 0x32e0f:$i3: IClientNetwork 0x3eb6a:$i3: IClientNetwork
5.2.QUOTATION.exe.2b8a1ec.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2205:$a: NanoCore 0x227f:$a: NanoCore 0x81e8:$a: NanoCore 0x8232:$a: NanoCore 0x8e8c:$a: NanoCore 0x11c63:$a: NanoCore 0x11d4d:$a: NanoCore 0x12bc4:$a: NanoCore 0x1bd7f:$a: NanoCore 0x1bde0:$a: NanoCore 0x1be23:$a: NanoCore 0x1be63:$a: NanoCore 0x1c09f:$a: NanoCore 0x1c13f:$a: NanoCore 0x1c917:$a: NanoCore 0x1cf0a:$a: NanoCore 0x1d05b:$a: NanoCore 0x1deb5:$a: NanoCore 0x1e11c:$a: NanoCore 0x1e131:$a: NanoCore 0x1e150:$a: NanoCore
1.2.QUOTATION.exe.2518984.3.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
1.2.QUOTATION.exe.2518984.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x27353a:$v1: SbieDll.dll 0x273554:$v2: USER 0x273560:$v3: SANDBOX 0x273572:$v4: VIRUS 0x2735c2:$v4: VIRUS 0x273580:$v5: MALWARE 0x273592:$v6: SCHMIDTI 0x2735a6:$v7: CURRENTUSER
5.2.QUOTATION.exe.2b081f8.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x13f77:$x1: NanoCore.ClientPluginHost 0x241f9:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x13fa1:$x2: IClientNetworkHost 0x24226:$x2: IClientNetworkHost
5.2.QUOTATION.exe.2b081f8.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x13f77:$x2: NanoCore.ClientPluginHost 0x241f9:$x2: NanoCore.ClientPluginHost 0x251c8:$s2: FileCommand 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x15e27:$s4: PipeCreated 0x29bca:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x24213:$s5: IClientLoggingHost
5.2.QUOTATION.exe.2b081f8.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x13f52:$x2: NanoCore.ClientPlugin 0x241d3:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x13f77:$x3: NanoCore.ClientPluginHost 0x241f9:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0x13f43:$i3: IClientNetwork 0x241c4:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0x13f68:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0x13f91:$i5: IClientDataHost 0x241e9:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0x24213:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0x13fa1:$i7: IClientNetworkHost 0x24226:$i7: IClientNetworkHost
5.2.QUOTATION.exe.2b081f8.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x13f52:$a: NanoCore 0x13f77:$a: NanoCore 0x13fd0:$a: NanoCore 0x241d3:$a: NanoCore 0x241f9:$a: NanoCore 0x24255:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x13d49:$b: ClientPlugin 0x13d5a:$b: ClientPlugin 0x13d8a:$b: ClientPlugin 0x13f5b:$b: ClientPlugin 0x13f80:$b: ClientPlugin 0x23f0f:$b: ClientPlugin 0x23f26:$b: ClientPlugin
1.2.QUOTATION.exe.252be1c.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
1.2.QUOTATION.exe.252be1c.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x2600a2:$v1: SbieDll.dll 0x2600bc:$v2: USER 0x2600c8:$v3: SANDBOX 0x2600da:$v4: VIRUS 0x26012a:$v4: VIRUS 0x2600e8:$v5: MALWARE 0x2600fa:$v6: SCHMIDTI 0x26010e:$v7: CURRENTUSER
1.2.QUOTATION.exe.251fbd0.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
1.2.QUOTATION.exe.251fbd0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x26c2ee:$v1: SbieDll.dll 0x26c308:$v2: USER 0x26c314:$v3: SANDBOX 0x26c326:$v4: VIRUS 0x26c376:$v4: VIRUS 0x26c334:$v5: MALWARE 0x26c346:$v6: SCHMIDTI 0x26c35a:$v7: CURRENTUSER
1.2.QUOTATION.exe.35cbd98.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4d9ad:$x1: NanoCore.ClientPluginHost 0x801cd:$x1: NanoCore.ClientPluginHost 0x24d495:$x1: NanoCore.ClientPluginHost 0x4d9ea:$x2: IClientNetworkHost 0x8020a:$x2: IClientNetworkHost 0x24d4d2:$x2: IClientNetworkHost 0x5151d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x83d3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x251005:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.QUOTATION.exe.35cbd98.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.QUOTATION.exe.35cbd98.7.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x1f88db:$s1: file:/// 0x1f87eb:$s2: {11111-22222-10009-11112} 0x1f886b:$s3: {11111-22222-50001-00000} 0x1f6231:$s4: get_Module 0x1f66a0:$s5: Reverse 0x5878f:$s6: BlockCopy 0x8afaf:$s6: BlockCopy 0x1f83be:$s6: BlockCopy 0x258277:$s6: BlockCopy 0x58786:$s7: ReadByte 0x8afa6:$s7: ReadByte 0x25826e:$s7: ReadByte 0x1f88ed:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
1.2.QUOTATION.exe.35cbd98.7.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4d715:$x1: NanoCore Client 0x4d725:$x1: NanoCore Client 0x7ff35:$x1: NanoCore Client 0x7ff45:$x1: NanoCore Client 0x24d1fd:$x1: NanoCore Client 0x24d20d:$x1: NanoCore Client 0x4d96d:$x2: NanoCore.ClientPlugin 0x8018d:$x2: NanoCore.ClientPlugin 0x24d455:$x2: NanoCore.ClientPlugin 0x4d9ad:$x3: NanoCore.ClientPluginHost 0x801cd:$x3: NanoCore.ClientPluginHost 0x24d495:$x3: NanoCore.ClientPluginHost 0x4d962:$i1: IClientApp 0x80182:$i1: IClientApp 0x24d44a:$i1: IClientApp 0x4d983:$i2: IClientData 0x801a3:$i2: IClientData 0x24d46b:$i2: IClientData 0x4d98f:$i3: IClientNetwork 0x801af:$i3: IClientNetwork 0x24d477:$i3: IClientNetwork
1.2.QUOTATION.exe.35cbd98.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4d715:$a: NanoCore 0x4d725:$a: NanoCore 0x4d959:$a: NanoCore 0x4d96d:$a: NanoCore 0x4d9ad:$a: NanoCore 0x7ff35:$a: NanoCore 0x7ff45:$a: NanoCore 0x80179:$a: NanoCore 0x8018d:$a: NanoCore 0x801cd:$a: NanoCore 0x24d1fd:$a: NanoCore 0x24d20d:$a: NanoCore 0x24d441:$a: NanoCore 0x24d455:$a: NanoCore 0x24d495:$a: NanoCore 0x4d774:$b: ClientPlugin 0x4d976:$b: ClientPlugin 0x4d9b6:$b: ClientPlugin 0x7ff94:$b: ClientPlugin 0x80196:$b: ClientPlugin 0x801d6:$b: ClientPlugin
Click to see the 232 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\QUOTATION.exe, ProcessId: 1052, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\QUOTATION.exe, ProcessId: 1052, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\QUOTATION.exe, ProcessId: 1052, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\QUOTATION.exe, ProcessId: 1052, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Snort Signatures

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.6 - Destination IP: 212.193.30.204

Timestamp:	192.168.2.6212.193.30.2044977411872816766 05/11/22-18:34:53.312719
SID:	2816766
Source Port:	49774
Destination Port:	1187
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.6 - Destination IP: 212.193.30.204

Timestamp:	192.168.2.6212.193.30.2044985611872816766 05/11/22-18:36:21.786696
SID:	2816766
Source Port:	49856
Destination Port:	1187
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.6 - Destination IP: 212.193.30.204

Timestamp:	192.168.2.6212.193.30.2044983111872816766 05/11/22-18:36:15.708740
SID:	2816766
Source Port:	49831
Destination Port:	1187
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keepalive Response 1 - Source IP: 212.193.30.204 - Destination IP: 192.168.2.6

Timestamp:	212.193.30.204192.168.2.61187497802810290 05/11/22-18:35:07.758520
SID:	2810290
Source Port:	1187
Destination Port:	49780
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.6 - Destination IP: 212.193.30.204

Timestamp:	192.168.2.6212.193.30.2044980511872816766 05/11/22-18:36:01.158778
SID:	2816766
Source Port:	49805
Destination Port:	1187
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.6 - Destination IP: 212.193.30.204

Timestamp:	192.168.2.6212.193.30.2044980011872816766 05/11/22-18:35:40.802538
SID:	2816766
Source Port:	49800
Destination Port:	1187
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.6 - Destination IP: 212.193.30.204

Timestamp:	192.168.2.6212.193.30.2044977711872816766 05/11/22-18:35:01.955240
SID:	2816766
Source Port:	49777
Destination Port:	1187
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.6 - Destination IP: 212.193.30.204

Timestamp:	192.168.2.6212.193.30.2044978711872816766 05/11/22-18:35:14.531508
SID:	2816766
Source Port:	49787
Destination Port:	1187
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.6 - Destination IP: 212.193.30.204

Timestamp:	192.168.2.6212.193.30.2044979711872816766 05/11/22-18:35:34.087505
SID:	2816766
Source Port:	49797
Destination Port:	1187
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.6 - Destination IP: 212.193.30.204

Timestamp:	192.168.2.6212.193.30.2044986211872816766 05/11/22-18:36:27.889829
SID:	2816766
Source Port:	49862
Destination Port:	1187
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.6 - Destination IP: 212.193.30.204

Timestamp:	192.168.2.6212.193.30.2044980911872816766 05/11/22-18:36:07.741009
SID:	2816766
Source Port:	49809
Destination Port:	1187
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon - Source IP: 192.168.2.6 - Destination IP: 212.193.30.204

Timestamp:	192.168.2.6212.193.30.2044979711872816718 05/11/22-18:35:34.087505
SID:	2816718
Source Port:	49797
Destination Port:	1187
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.6 - Destination IP: 212.193.30.204

Timestamp:	192.168.2.6212.193.30.2044980211872816766 05/11/22-18:35:47.819257
SID:	2816766
Source Port:	49802
Destination Port:	1187
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 212.193.30.204 - Destination IP: 192.168.2.6

Timestamp:	212.193.30.204192.168.2.61187498622841753 05/11/22-18:36:36.975115
SID:	2841753
Source Port:	1187
Destination Port:	49862
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.6 - Destination IP: 212.193.30.204

Timestamp:	192.168.2.6212.193.30.2044978011872816766 05/11/22-18:35:07.459686
SID:	2816766
Source Port:	49780
Destination Port:	1187
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.6 - Destination IP: 212.193.30.204

Timestamp:	192.168.2.6212.193.30.2044979611872816766 05/11/22-18:35:26.904734
SID:	2816766
Source Port:	49796
Destination Port:	1187
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.6 - Destination IP: 212.193.30.204

Timestamp:	192.168.2.6212.193.30.2044978811872816766 05/11/22-18:35:20.778412
SID:	2816766
Source Port:	49788
Destination Port:	1187
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000005.00000002.638035787.0000000003B21000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "fe56abb4-cb76-44f1-89b4-7bb11730", "Group": "Default", "Domain1": "deranano2.ddns.net", "Port": 1187, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for submitted file

Source: QUOTATION.exe

ReversingLabs: Detection: 17%

Antivirus detection for URL or domain

Source: deranano2.ddns.net

Avira URL Cloud: Label: malware

Yara detected Nanocore RAT

Source: Yara match	File source: 5.2.QUOTATION.exe.5c64629.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.QUOTATION.exe.3b38a28.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.QUOTATION.exe.3b2458d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.QUOTATION.exe.3b3d051.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.QUOTATION.exe.3b38a28.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.QUOTATION.exe.5c60000.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.QUOTATION.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.QUOTATION.exe.5c60000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QUOTATION.exe.36095b8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.QUOTATION.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QUOTATION.exe.36095b8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QUOTATION.exe.35cbd98.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.411957545.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.638035787.0000000003B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.411127213.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.630920607.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.633949267.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.413349942.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.412616907.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.418666280.00000000035CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION.exe PID: 636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QUOTATION.exe PID: 1052, type: MEMORYSTR

Source: 5.0.QUOTATION.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.0.QUOTATION.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.2.QUOTATION.exe.5c60000.22.unpack	Avira: Label: TR/NanoCore.fadte
Source: 5.0.QUOTATION.exe.400000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.0.QUOTATION.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.0.QUOTATION.exe.400000.12.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.2.QUOTATION.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: QUOTATION.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: QUOTATION.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.641594280.0000000006B80000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: QUOTATION.exe, 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.640012845.0000000003D4E000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.641679892.0000000006D00000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: QUOTATION.exe, 00000005.00000002.641622424.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: IClosa.pdb source: QUOTATION.exe
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.641582210.0000000006B70000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: QUOTATION.exe, 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.641634528.0000000006BB0000.00000004.08000000.00040000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: QUOTATION.exe, 00000005.00000002.641608734.0000000006B90000.00000004.08000000.00040000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49774 -> 212.193.30.204:1187
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49777 -> 212.193.30.204:1187
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49780 -> 212.193.30.204:1187
Source: Traffic	Snort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 212.193.30.204:1187 -> 192.168.2.6:49780
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49787 -> 212.193.30.204:1187
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49788 -> 212.193.30.204:1187
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49796 -> 212.193.30.204:1187
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49797 -> 212.193.30.204:1187
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.6:49797 -> 212.193.30.204:1187
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49800 -> 212.193.30.204:1187
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49802 -> 212.193.30.204:1187
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49805 -> 212.193.30.204:1187
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49809 -> 212.193.30.204:1187
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49831 -> 212.193.30.204:1187
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49856 -> 212.193.30.204:1187
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49862 -> 212.193.30.204:1187
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 212.193.30.204:1187 -> 192.168.2.6:49862

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: deranano2.ddns.net

Uses dynamic DNS services

Source: unknown

DNS query: name: deranano2.ddns.net

Source: Joe Sandbox View

ASN Name: SPD-NETTR SPD-NETTR

Source: Joe Sandbox View

IP Address: 212.193.30.204 212.193.30.204

Source: global traffic

TCP traffic: 192.168.2.6:49774 -> 212.193.30.204:1187

Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: QUOTATION.exe, 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.641634528.0000000006BB0000.00000004.08000000.00040000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://google.com
Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

DNS traffic detected: queries for: deranano2.ddns.net

Source: QUOTATION.exe, 00000001.00000002.415699378.000000000085B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: QUOTATION.exe, 00000005.00000002.638035787.0000000003B21000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 5.2.QUOTATION.exe.5c64629.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.QUOTATION.exe.3b38a28.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.QUOTATION.exe.3b2458d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.QUOTATION.exe.3b3d051.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.QUOTATION.exe.3b38a28.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.QUOTATION.exe.5c60000.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.QUOTATION.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.QUOTATION.exe.5c60000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QUOTATION.exe.36095b8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.QUOTATION.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QUOTATION.exe.36095b8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QUOTATION.exe.35cbd98.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.411957545.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.638035787.0000000003B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.411127213.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.630920607.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.633949267.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.413349942.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.412616907.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.418666280.00000000035CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION.exe PID: 636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QUOTATION.exe PID: 1052, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.QUOTATION.exe.6e90000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.6e90000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.6e90000.33.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.6e90000.33.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.6bb0000.30.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.6bb0000.30.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.3d4fbd7.15.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.3d4fbd7.15.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.5c64629.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.5c64629.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.6b80000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.6b80000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.5ed0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.5ed0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.3ade5cf.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.3ade5cf.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.3ad9930.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.3ad9930.9.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.6ee0000.37.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.6ee0000.37.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.3b38a28.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.3b38a28.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.3e1d82f.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.3e1d82f.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.3e1d82f.17.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.QUOTATION.exe.6b80000.27.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.6b80000.27.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.2b2384c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.2b2384c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.2b175b4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.2b175b4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.6bb0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.6bb0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.3b2458d.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.3b2458d.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.QUOTATION.exe.6b40000.25.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.6b40000.25.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.3b3d051.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.3b3d051.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.3ae81d4.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.3ae81d4.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.3d58a06.14.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.3d58a06.14.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.2b2384c.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.2b2384c.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.6b90000.28.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.6b90000.28.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.3b38a28.13.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.3b38a28.13.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.QUOTATION.exe.6b40000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.6b40000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.5c60000.22.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.5c60000.22.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.6ea0000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.6ea0000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.6eae8a4.34.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.6eae8a4.34.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.5ed0000.24.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.5ed0000.24.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.6d00000.31.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.6d00000.31.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.2b175b4.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.2b175b4.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.6d20000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.6ea4c9f.35.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.6ea4c9f.35.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.6d20000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.3e1d82f.17.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.3e1d82f.17.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.6ee0000.37.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.6ee0000.37.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.3e34a8e.18.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.3e34a8e.18.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.3e34a8e.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.3e34a8e.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.0.QUOTATION.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.QUOTATION.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.0.QUOTATION.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.QUOTATION.exe.5c60000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.5c60000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.6d00000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.6d00000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.QUOTATION.exe.2b78f78.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.2b78f78.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.2b78f78.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.QUOTATION.exe.6b90000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.6b90000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.6b70000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.6b70000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.6ba0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.6ba0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.3d58a06.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.3d58a06.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.3d58a06.14.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.QUOTATION.exe.2b8a1ec.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.2b8a1ec.7.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.2b7e9b0.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.2b7e9b0.5.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.6ea0000.36.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.6ea0000.36.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.5bc0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.5bc0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.QUOTATION.exe.36095b8.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.QUOTATION.exe.36095b8.6.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.QUOTATION.exe.36095b8.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.QUOTATION.exe.6d20000.32.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.6d20000.32.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.3ad9930.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.3ad9930.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.2b7e9b0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.2b7e9b0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.2b7e9b0.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.QUOTATION.exe.3d4fbd7.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.3d4fbd7.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.3d4fbd7.15.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.QUOTATION.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.QUOTATION.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.0.QUOTATION.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.QUOTATION.exe.3e2665e.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.3e2665e.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.3d66e36.16.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.3d66e36.16.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.QUOTATION.exe.36095b8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.QUOTATION.exe.36095b8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 1.2.QUOTATION.exe.36095b8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.QUOTATION.exe.36095b8.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.QUOTATION.exe.3e2665e.19.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.3e2665e.19.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.3d66e36.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.3d66e36.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.3d66e36.16.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.QUOTATION.exe.2b8a1ec.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.2b8a1ec.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.2b8a1ec.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.QUOTATION.exe.2518984.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 5.2.QUOTATION.exe.2b081f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.QUOTATION.exe.2b081f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.QUOTATION.exe.2b081f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.QUOTATION.exe.252be1c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 1.2.QUOTATION.exe.251fbd0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 1.2.QUOTATION.exe.35cbd98.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.QUOTATION.exe.35cbd98.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 1.2.QUOTATION.exe.35cbd98.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.QUOTATION.exe.35cbd98.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.641608734.0000000006B90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.641608734.0000000006B90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000000.411957545.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000000.411957545.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.641634528.0000000006BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.641634528.0000000006BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.641805213.0000000006EA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.641805213.0000000006EA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000002.641707073.0000000006D20000.00000004.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.641707073.0000000006D20000.00000004.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000002.641622424.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.641622424.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000000.411127213.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000000.411127213.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.630920607.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.630920607.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.641872775.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.641872775.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000002.641519626.0000000006B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.641519626.0000000006B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000002.640012845.0000000003D4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.641679892.0000000006D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.641679892.0000000006D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000002.633949267.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.641594280.0000000006B80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.641594280.0000000006B80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000002.640953344.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.640953344.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000002.641582210.0000000006B70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.641582210.0000000006B70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000000.413349942.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000000.413349942.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.641782260.0000000006E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.641782260.0000000006E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000002.641142160.0000000005ED0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.641142160.0000000005ED0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000000.412616907.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000000.412616907.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.418666280.00000000035CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.418666280.00000000035CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: QUOTATION.exe PID: 636, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: QUOTATION.exe PID: 636, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: QUOTATION.exe PID: 1052, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: QUOTATION.exe PID: 1052, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: QUOTATION.exe

Source: QUOTATION.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 5.2.QUOTATION.exe.6e90000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.6e90000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.6e90000.33.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.6e90000.33.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.6e90000.33.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.6e90000.33.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.6bb0000.30.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.6bb0000.30.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.6bb0000.30.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.3d4fbd7.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.3d4fbd7.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.3d4fbd7.15.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.5c64629.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.5c64629.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.5c64629.21.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.6b80000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.6b80000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.6b80000.27.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.5ed0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.5ed0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.5ed0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.3ade5cf.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.3ade5cf.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.3ade5cf.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.3ad9930.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.3ad9930.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.3ad9930.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.6ee0000.37.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.6ee0000.37.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.6ee0000.37.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.3b38a28.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.3b38a28.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.3b38a28.13.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.3e1d82f.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.3e1d82f.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.3e1d82f.17.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.3e1d82f.17.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.QUOTATION.exe.6b80000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.6b80000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.6b80000.27.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.2b2384c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.2b2384c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.2b2384c.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.2b175b4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.2b175b4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.2b175b4.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.6bb0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.6bb0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.6bb0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.3b2458d.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.3b2458d.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.3b2458d.12.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.QUOTATION.exe.6b40000.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.6b40000.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.6b40000.25.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.3b3d051.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.3b3d051.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.3b3d051.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.3ae81d4.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.3ae81d4.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.3ae81d4.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.3d58a06.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.3d58a06.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.3d58a06.14.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.2b2384c.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.2b2384c.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.2b2384c.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.6b90000.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.6b90000.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.6b90000.28.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.3b38a28.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.3b38a28.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.3b38a28.13.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.QUOTATION.exe.6b40000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.6b40000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.6b40000.25.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.5c60000.22.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.5c60000.22.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.5c60000.22.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.6ea0000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.6ea0000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.6ea0000.36.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.6eae8a4.34.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.6eae8a4.34.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.6eae8a4.34.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.5ed0000.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.5ed0000.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.5ed0000.24.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.6d00000.31.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.6d00000.31.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.6d00000.31.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.2b175b4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.2b175b4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.2b175b4.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.6d20000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.6d20000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.6ea4c9f.35.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.6ea4c9f.35.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.6ea4c9f.35.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.6d20000.32.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.3e1d82f.17.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.3e1d82f.17.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.3e1d82f.17.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.6ee0000.37.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.6ee0000.37.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.6ee0000.37.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.3e34a8e.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.3e34a8e.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.3e34a8e.18.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.3e34a8e.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.3e34a8e.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.3e34a8e.18.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.0.QUOTATION.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.QUOTATION.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.QUOTATION.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.0.QUOTATION.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.QUOTATION.exe.5c60000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.5c60000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.5c60000.22.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.6d00000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.6d00000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.6d00000.31.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.QUOTATION.exe.2b78f78.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.2b78f78.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.2b78f78.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.QUOTATION.exe.6b90000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.6b90000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.6b90000.28.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.6b70000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.6b70000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.6b70000.26.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.6ba0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.6ba0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.6ba0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.3d58a06.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.3d58a06.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.3d58a06.14.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.3d58a06.14.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.QUOTATION.exe.2b8a1ec.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.2b8a1ec.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.2b8a1ec.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.2b7e9b0.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.2b7e9b0.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.2b7e9b0.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.6ea0000.36.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.6ea0000.36.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.6ea0000.36.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.5bc0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.5bc0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.5bc0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.QUOTATION.exe.36095b8.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.QUOTATION.exe.36095b8.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.QUOTATION.exe.36095b8.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.QUOTATION.exe.36095b8.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.QUOTATION.exe.6d20000.32.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.6d20000.32.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.6d20000.32.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.3ad9930.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.3ad9930.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.3ad9930.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.2b7e9b0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.2b7e9b0.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.2b7e9b0.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.QUOTATION.exe.3d4fbd7.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.3d4fbd7.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.3d4fbd7.15.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.3d4fbd7.15.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.0.QUOTATION.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.QUOTATION.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.QUOTATION.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.0.QUOTATION.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.QUOTATION.exe.3e2665e.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.3e2665e.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.3e2665e.19.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.3d66e36.16.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.3d66e36.16.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.3d66e36.16.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.QUOTATION.exe.36095b8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.QUOTATION.exe.36095b8.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 1.2.QUOTATION.exe.36095b8.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.QUOTATION.exe.36095b8.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.QUOTATION.exe.3e2665e.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.3e2665e.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.3e2665e.19.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.3d66e36.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.3d66e36.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.3d66e36.16.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.3d66e36.16.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.QUOTATION.exe.2b8a1ec.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.2b8a1ec.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.2b8a1ec.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.QUOTATION.exe.2518984.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 5.2.QUOTATION.exe.2b081f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.QUOTATION.exe.2b081f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.QUOTATION.exe.2b081f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.QUOTATION.exe.2b081f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.QUOTATION.exe.252be1c.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 1.2.QUOTATION.exe.251fbd0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 1.2.QUOTATION.exe.35cbd98.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.QUOTATION.exe.35cbd98.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 1.2.QUOTATION.exe.35cbd98.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.QUOTATION.exe.35cbd98.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.641608734.0000000006B90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.641608734.0000000006B90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000002.641608734.0000000006B90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000000.411957545.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000000.411957545.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.641634528.0000000006BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.641634528.0000000006BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000002.641634528.0000000006BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.641805213.0000000006EA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.641805213.0000000006EA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000002.641805213.0000000006EA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000002.641707073.0000000006D20000.00000004.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.641707073.0000000006D20000.00000004.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000002.641707073.0000000006D20000.00000004.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000002.641622424.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.641622424.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000002.641622424.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000000.411127213.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000000.411127213.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.630920607.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.630920607.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.641872775.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.641872775.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000002.641872775.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000002.641519626.0000000006B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.641519626.0000000006B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000002.641519626.0000000006B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000002.640012845.0000000003D4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.641679892.0000000006D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.641679892.0000000006D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000002.641679892.0000000006D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000002.633949267.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.641594280.0000000006B80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.641594280.0000000006B80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000002.641594280.0000000006B80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000002.640953344.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.640953344.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000002.640953344.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000002.641582210.0000000006B70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.641582210.0000000006B70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000002.641582210.0000000006B70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000000.413349942.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000000.413349942.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.641782260.0000000006E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.641782260.0000000006E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000002.641782260.0000000006E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000002.641142160.0000000005ED0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.641142160.0000000005ED0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000002.641142160.0000000005ED0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000000.412616907.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000000.412616907.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.418666280.00000000035CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.418666280.00000000035CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: QUOTATION.exe PID: 636, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: QUOTATION.exe PID: 636, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: QUOTATION.exe PID: 1052, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: QUOTATION.exe PID: 1052, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 1_2_00B1CC9C	1_2_00B1CC9C
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 1_2_00B1EED8	1_2_00B1EED8
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 1_2_00B1EEC8	1_2_00B1EEC8
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 5_2_05ED02B0	5_2_05ED02B0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 5_2_0292E480	5_2_0292E480
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 5_2_0292E471	5_2_0292E471
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 5_2_0292BBD4	5_2_0292BBD4

Source: QUOTATION.exe, 00000001.00000000.365542409.00000000001AA000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenameIClosa.exe. vs QUOTATION.exe
Source: QUOTATION.exe, 00000001.00000002.418666280.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs QUOTATION.exe
Source: QUOTATION.exe, 00000001.00000002.422737136.0000000006D40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs QUOTATION.exe
Source: QUOTATION.exe, 00000001.00000002.421779048.0000000006980000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameFort.dll" vs QUOTATION.exe
Source: QUOTATION.exe	Binary or memory string: OriginalFilename vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.641608734.0000000006B90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.641634528.0000000006BB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.641805213.0000000006EA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.641805213.0000000006EA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.641805213.0000000006EA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000000.411504531.00000000006FA000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenameIClosa.exe. vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.638035787.0000000003B21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.638035787.0000000003B21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.641707073.0000000006D20000.00000004.00000001.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.637915665.0000000003AD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.637915665.0000000003AD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.637915665.0000000003AD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.641622424.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000003.425610931.0000000000BDF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.640012845.0000000003D4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.640012845.0000000003D4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.640012845.0000000003D4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.640012845.0000000003D4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.640012845.0000000003D4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.640012845.0000000003D4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.640012845.0000000003D4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.641872775.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.641129187.0000000005EC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.641519626.0000000006B40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.633949267.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.633949267.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.633949267.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.641679892.0000000006D00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.641594280.0000000006B80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.641582210.0000000006B70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.640953344.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.641782260.0000000006E90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs QUOTATION.exe
Source: QUOTATION.exe, 00000005.00000002.641142160.0000000005ED0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs QUOTATION.exe
Source: QUOTATION.exe	Binary or memory string: OriginalFilenameIClosa.exe. vs QUOTATION.exe

Source: QUOTATION.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: QUOTATION.exe

ReversingLabs: Detection: 17%

Source: C:\Users\user\Desktop\QUOTATION.exe

File read: C:\Users\user\Desktop\QUOTATION.exe

Jump to behavior

Source: QUOTATION.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\QUOTATION.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\QUOTATION.exe "C:\Users\user\Desktop\QUOTATION.exe"
Source: C:\Users\user\Desktop\QUOTATION.exe	Process created: C:\Users\user\Desktop\QUOTATION.exe C:\Users\user\Desktop\QUOTATION.exe
Source: C:\Users\user\Desktop\QUOTATION.exe	Process created: C:\Users\user\Desktop\QUOTATION.exe C:\Users\user\Desktop\QUOTATION.exe	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/5@14/2

Source: 5.0.QUOTATION.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.0.QUOTATION.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.0.QUOTATION.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.0.QUOTATION.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.0.QUOTATION.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.0.QUOTATION.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.0.QUOTATION.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.0.QUOTATION.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\QUOTATION.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\{fe56abb4-cb76-44f1-89b4-7bb11730ab9d}

Source: 5.0.QUOTATION.exe.400000.6.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.0.QUOTATION.exe.400000.6.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.0.QUOTATION.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.QUOTATION.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.QUOTATION.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.0.QUOTATION.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.0.QUOTATION.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.QUOTATION.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.0.QUOTATION.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\Desktop\QUOTATION.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: QUOTATION.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: QUOTATION.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: QUOTATION.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.641594280.0000000006B80000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: QUOTATION.exe, 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.640012845.0000000003D4E000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.641679892.0000000006D00000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: QUOTATION.exe, 00000005.00000002.641622424.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: IClosa.pdb source: QUOTATION.exe
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.641582210.0000000006B70000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: QUOTATION.exe, 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.641634528.0000000006BB0000.00000004.08000000.00040000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: QUOTATION.exe, 00000005.00000002.641608734.0000000006B90000.00000004.08000000.00040000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: QUOTATION.exe, DZ/hD.cs	.Net Code: FOC System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.QUOTATION.exe.100000.0.unpack, DZ/hD.cs	.Net Code: FOC System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.QUOTATION.exe.100000.0.unpack, DZ/hD.cs	.Net Code: FOC System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.QUOTATION.exe.400000.6.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.QUOTATION.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.QUOTATION.exe.650000.1.unpack, DZ/hD.cs	.Net Code: FOC System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.QUOTATION.exe.650000.1.unpack, DZ/hD.cs	.Net Code: FOC System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.QUOTATION.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.QUOTATION.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.QUOTATION.exe.650000.0.unpack, DZ/hD.cs	.Net Code: FOC System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.QUOTATION.exe.650000.2.unpack, DZ/hD.cs	.Net Code: FOC System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.QUOTATION.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.QUOTATION.exe.400000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.QUOTATION.exe.650000.9.unpack, DZ/hD.cs	.Net Code: FOC System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.QUOTATION.exe.650000.7.unpack, DZ/hD.cs	.Net Code: FOC System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.QUOTATION.exe.400000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.QUOTATION.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.QUOTATION.exe.650000.11.unpack, DZ/hD.cs	.Net Code: FOC System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.QUOTATION.exe.650000.5.unpack, DZ/hD.cs	.Net Code: FOC System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.QUOTATION.exe.650000.13.unpack, DZ/hD.cs	.Net Code: FOC System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 1_2_00B1C0C0 pushad ; iretd		1_2_00B1C0C1
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 1_2_00B1C128 pushfd ; iretd		1_2_00B1C129

Source: initial sample

Static PE information: section name: .text entropy: 7.85363185265

Source: 5.0.QUOTATION.exe.400000.6.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 5.0.QUOTATION.exe.400000.6.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 5.0.QUOTATION.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 5.0.QUOTATION.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 5.0.QUOTATION.exe.400000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 5.0.QUOTATION.exe.400000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 5.0.QUOTATION.exe.400000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 5.0.QUOTATION.exe.400000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\QUOTATION.exe

File opened: C:\Users\user\Desktop\QUOTATION.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 1.2.QUOTATION.exe.2518984.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QUOTATION.exe.252be1c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QUOTATION.exe.251fbd0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.416586877.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION.exe PID: 636, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: QUOTATION.exe, 00000001.00000002.416586877.00000000024C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: QUOTATION.exe, 00000001.00000002.416586877.00000000024C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\QUOTATION.exe TID: 2324	Thread sleep time: -45733s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe TID: 5636	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe TID: 6076	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION.exe	Window / User API: threadDelayed 5456	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Window / User API: threadDelayed 3752	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Window / User API: foregroundWindowGot 678	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Window / User API: foregroundWindowGot 762	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION.exe	Thread delayed: delay time: 45733	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: QUOTATION.exe, 00000001.00000002.416586877.00000000024C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: QUOTATION.exe, 00000001.00000002.416586877.00000000024C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: QUOTATION.exe	Binary or memory string: a]hVMci
Source: QUOTATION.exe, 00000001.00000002.416586877.00000000024C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: QUOTATION.exe, 00000005.00000003.426319113.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000003.425628506.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.631865092.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000003.426931998.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000003.428720756.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000003.428601627.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000003.429385256.0000000000BF3000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000003.500464778.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000003.426588395.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000003.429488260.0000000000BF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: QUOTATION.exe, 00000001.00000002.416586877.00000000024C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\QUOTATION.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION.exe

Process created: C:\Users\user\Desktop\QUOTATION.exe C:\Users\user\Desktop\QUOTATION.exe

Jump to behavior

Source: QUOTATION.exe, 00000005.00000002.635237708.0000000002C36000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.637467627.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.635280236.0000000002C3C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager#xp
Source: QUOTATION.exe, 00000005.00000002.641766867.0000000006E8C000.00000004.00000010.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.641664223.0000000006CFA000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Managerram Manager
Source: QUOTATION.exe, 00000005.00000002.642071541.000000000770C000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Managerl
Source: QUOTATION.exe, 00000005.00000002.641052824.0000000005DBC000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Managerram Manager 8
Source: QUOTATION.exe, 00000005.00000002.637521725.0000000002FB6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager4
Source: QUOTATION.exe, 00000005.00000002.642047911.00000000075CC000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: QUOTATION.exe, 00000005.00000002.642169555.0000000007B0B000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Managerram Manager h
Source: QUOTATION.exe, 00000005.00000002.635280236.0000000002C3C000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.637809442.00000000030B4000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.637521725.0000000002FB6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerxp

Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Users\user\Desktop\QUOTATION.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Users\user\Desktop\QUOTATION.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\QUOTATION.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 5.2.QUOTATION.exe.5c64629.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.QUOTATION.exe.3b38a28.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.QUOTATION.exe.3b2458d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.QUOTATION.exe.3b3d051.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.QUOTATION.exe.3b38a28.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.QUOTATION.exe.5c60000.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.QUOTATION.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.QUOTATION.exe.5c60000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QUOTATION.exe.36095b8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.QUOTATION.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QUOTATION.exe.36095b8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QUOTATION.exe.35cbd98.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.411957545.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.638035787.0000000003B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.411127213.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.630920607.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.633949267.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.413349942.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.412616907.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.418666280.00000000035CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION.exe PID: 636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QUOTATION.exe PID: 1052, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: QUOTATION.exe, 00000001.00000002.418666280.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: QUOTATION.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: QUOTATION.exe, 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: QUOTATION.exe, 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: QUOTATION.exe, 00000005.00000000.411957545.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: QUOTATION.exe, 00000005.00000002.641608734.0000000006B90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: QUOTATION.exe, 00000005.00000002.641608734.0000000006B90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: QUOTATION.exe, 00000005.00000002.641634528.0000000006BB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: QUOTATION.exe, 00000005.00000002.641805213.0000000006EA0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: QUOTATION.exe, 00000005.00000002.638035787.0000000003B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: QUOTATION.exe, 00000005.00000002.641707073.0000000006D20000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: QUOTATION.exe, 00000005.00000002.637915665.0000000003AD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: QUOTATION.exe, 00000005.00000002.641622424.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: QUOTATION.exe, 00000005.00000002.641622424.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: QUOTATION.exe, 00000005.00000003.425610931.0000000000BDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: QUOTATION.exe, 00000005.00000002.640012845.0000000003D4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: QUOTATION.exe, 00000005.00000002.640012845.0000000003D4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: QUOTATION.exe, 00000005.00000002.641872775.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: QUOTATION.exe, 00000005.00000002.641519626.0000000006B40000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: QUOTATION.exe, 00000005.00000002.633949267.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: QUOTATION.exe, 00000005.00000002.633949267.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: QUOTATION.exe, 00000005.00000002.641679892.0000000006D00000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: QUOTATION.exe, 00000005.00000002.641679892.0000000006D00000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: QUOTATION.exe, 00000005.00000002.641594280.0000000006B80000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: QUOTATION.exe, 00000005.00000002.641582210.0000000006B70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: QUOTATION.exe, 00000005.00000002.641582210.0000000006B70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: QUOTATION.exe, 00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: QUOTATION.exe, 00000005.00000002.640953344.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: QUOTATION.exe, 00000005.00000002.640953344.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: QUOTATION.exe, 00000005.00000002.641782260.0000000006E90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: QUOTATION.exe, 00000005.00000002.641142160.0000000005ED0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: 5.2.QUOTATION.exe.5c64629.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.QUOTATION.exe.3b38a28.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.QUOTATION.exe.3b2458d.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.QUOTATION.exe.3b3d051.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.QUOTATION.exe.3b38a28.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.QUOTATION.exe.5c60000.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.QUOTATION.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.QUOTATION.exe.5c60000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QUOTATION.exe.36095b8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.QUOTATION.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QUOTATION.exe.36095b8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QUOTATION.exe.35cbd98.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.411957545.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.638035787.0000000003B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.411127213.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.630920607.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.633949267.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.413349942.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.412616907.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.418666280.00000000035CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION.exe PID: 636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QUOTATION.exe PID: 1052, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	Path Interception	12 Process Injection	1 Masquerading	21 Input Capture	1 Query Registry	Remote Services	21 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Remote Access Software	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	12 Process Injection	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	21 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Hidden Files and Directories	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	13 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
QUOTATION.exe	17%	ReversingLabs	ByteCode-MSIL.Backdoor.NanoBot

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.0.QUOTATION.exe.400000.6.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
5.0.QUOTATION.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
5.2.QUOTATION.exe.5c60000.22.unpack	100%	Avira	TR/NanoCore.fadte	Download File
5.0.QUOTATION.exe.400000.10.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
5.0.QUOTATION.exe.400000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
5.0.QUOTATION.exe.400000.12.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
5.2.QUOTATION.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
deranano2.ddns.net	100%	Avira URL Cloud	malware
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
deranano2.ddns.net	212.193.30.204	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
	true	Avira URL Cloud: safe	low
deranano2.ddns.net	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://google.com	QUOTATION.exe, 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.641634528.0000000006BB0000.00000004.08000000.00040000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
212.193.30.204	deranano2.ddns.net	Russian Federation		57844	SPD-NETTR	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	624514
Start date and time: 11/05/202218:33:14	2022-05-11 18:33:14 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	QUOTATION.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/5@14/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 1.9% (good quality ratio 1.7%) Quality average: 68.5% Quality standard deviation: 29.8%
HCA Information:	Successful, ratio: 99% Number of executed functions: 38 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
VT rate limit hit for: QUOTATION.exe

Simulations

Behavior and APIs

Time	Type	Description
18:34:41	API Interceptor	807x Sleep call for process: QUOTATION.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
212.193.30.204	2020574185.exe	Get hash	malicious	Browse
	ORDER.exe	Get hash	malicious	Browse
	POP.exe	Get hash	malicious	Browse
	Bill Of Lading.exe	Get hash	malicious	Browse
	900010225 CON.LUMES JAIPUR 05.02.2022.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
deranano2.ddns.net	2020574185.exe	Get hash	malicious	Browse	212.193.30.204
	ORDER.exe	Get hash	malicious	Browse	212.193.30.204
	POP.exe	Get hash	malicious	Browse	212.193.30.204
	Bill Of Lading.exe	Get hash	malicious	Browse	212.193.30.204
	900010225 CON.LUMES JAIPUR 05.02.2022.exe	Get hash	malicious	Browse	212.193.30.204
	FYI.exe	Get hash	malicious	Browse	194.31.98.18
	FYI.exe	Get hash	malicious	Browse	194.31.98.18
	VOLGOIL LLC SOFT CORPORATE OFFER VESSEL TO TANK.exe	Get hash	malicious	Browse	194.31.98.18
	product specification and detailspdf.exe	Get hash	malicious	Browse	194.31.98.18

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SPD-NETTR	Resetter.exe	Get hash	malicious	Browse	212.193.30.29
	SecuriteInfo.com.Trojan.PackedNET.331.26146.exe	Get hash	malicious	Browse	212.193.30.38
	hdk8Z67C7x.exe	Get hash	malicious	Browse	212.193.30.29
	CHANGE OF ACCOUNT RUSH TO DESK.exe	Get hash	malicious	Browse	212.193.30.101
	2020574185.exe	Get hash	malicious	Browse	212.193.30.204
	ORDER.exe	Get hash	malicious	Browse	212.193.30.204
	ckc238HATk.exe	Get hash	malicious	Browse	212.193.30.45
	ckc238HATk.exe	Get hash	malicious	Browse	212.193.30.45
	TjDCLiM89x.exe	Get hash	malicious	Browse	212.193.30.45
	POP.exe	Get hash	malicious	Browse	212.193.30.204
	AFAC7896CF21983233C533EEAEC870610856969D98218.exe	Get hash	malicious	Browse	212.193.30.29
	E4FB57012D7A31E6511C4BAC952323093E8BB51F13884.exe	Get hash	malicious	Browse	212.193.30.29
	E2E7294A6FEE9EF6372897F3BEBFFB0D17BC31B9CF8C6.exe	Get hash	malicious	Browse	212.193.30.29
	Bill Of Lading.exe	Get hash	malicious	Browse	212.193.30.204
	900010225 CON.LUMES JAIPUR 05.02.2022.exe	Get hash	malicious	Browse	212.193.30.204
	7nSmJgc4Js.exe	Get hash	malicious	Browse	212.193.30.45
	arm7-20220427-0150	Get hash	malicious	Browse	185.118.141.120
	Setup.exe	Get hash	malicious	Browse	212.193.30.29
	OrderGY2103881.rtf	Get hash	malicious	Browse	212.193.30.19
	packingListBLandshippingdocspdf.exe	Get hash	malicious	Browse	212.193.30.144

Process:	C:\Users\user\Desktop\QUOTATION.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1750
Entropy (8bit):	5.3375092442007315
Encrypted:	false
SSDEEP:	48:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzvFHYHKlEHUzvAHj:Pq5qXEwCYqhQnoPtIxHeqzN4qm0z4D
MD5:	92FEE17DD9A6925BA2D1E5EF2CD6E5F2
SHA1:	4614AE0DD188A0FE1983C5A8D82A69AF5BD13039
SHA-256:	67351D6FA9F9E11FD21E72581AFDC8E63A284A6080D99A6390641FC11C667235
SHA-512:	C599C633D288B845A7FAA31FC0FA86EAB8585CC2C515D68CA0DFC6AB16B27515A5D729EF535109B2CDE29FF3CF4CF725F4F920858501A2421FC7D76C804F2AA7
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

Download File

Process:	C:\Users\user\Desktop\QUOTATION.exe
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	7.024371743172393
Encrypted:	false
SSDEEP:	6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
MD5:	32D0AAE13696FF7F8AF33B2D22451028
SHA1:	EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
SHA-256:	5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
SHA-512:	1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Download File

Process:	C:\Users\user\Desktop\QUOTATION.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:zWl:0
MD5:	91522D41025242D19D64C4FA2D4C2EFD
SHA1:	ED596E1834BC20F99EABC9D702E15250E588EFFE
SHA-256:	8E9E0CBF71438BABDEE035125FA4B28E1FFCC9DB35550FBFE2296724F54505B5
SHA-512:	D390C4FB3BD6C310B5864E50B8B39295D918120A1077E3508E00AB5D52847ECC8ED126BEFA69E41B7BF1F3D9B4CE4B28B0CF585C830A67925EBAE55D60850DA1
Malicious:	true
Reputation:	low
Preview:	#...3.H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin

Download File

Process:	C:\Users\user\Desktop\QUOTATION.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	5.153055907333276
Encrypted:	false
SSDEEP:	3:9bzY6oRDT6P2bfVn1:RzWDT621
MD5:	4E5E92E2369688041CC82EF9650EDED2
SHA1:	15E44F2F3194EE232B44E9684163B6F66472C862
SHA-256:	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
SHA-512:	1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat

Download File

Process:	C:\Users\user\Desktop\QUOTATION.exe
File Type:	data
Category:	dropped
Size (bytes):	327432
Entropy (8bit):	7.99938831605763
Encrypted:	true
SSDEEP:	6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
MD5:	7E8F4A764B981D5B82D1CC49D341E9C6
SHA1:	D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
SHA-256:	0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
SHA-512:	880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...\|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.).....{B.[...y%...i.Q.<..xt.X..H.. ..HF7g...I.3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.\|i4...i...;O...n.?.,. ....v?.5}.OY@.dG\|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...\|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`\|.B....3.....I..o...u1..8i=.z.W..7

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.85137144717535
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	QUOTATION.exe
File size:	707584
MD5:	dbffb4682e330d635295ccdd92fe99c4
SHA1:	ba03bbac64d96bfbd3067803a8b08466b8fb0d3a
SHA256:	011c5f305852ea8ef82a26bae0d7b6f59fd70f431b91edb25df06863e0001bc0
SHA512:	01fe41d7c24f92d05308b9316ba49adf2e7d2cc410a63e4da7e95dde82a6669f5e39c45ba0306f0c4a9f45174aeabd130fc215e877cc736220b05b9d9594802f
SSDEEP:	12288:QF/3DpQp9V5XXkkXIqvCQOeZ/xWzWsCXQhpKn+nj4/sHtNdC8Sgp:QF/3DG/YkvvWeZ/xWzWsQQhsnCOcdv
TLSH:	87E4011CBAF7DA22D16E2B3990F280945771BE89A033D31E35DC134E9F16B9349467A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f{b..............0..p...Z........... ........@.. ....................... ............@................................

File Icon


Icon Hash:	f0f2f25944bcce78

Static PE Info

General

Entrypoint:	0x4a8f0e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x627B66A8 [Wed May 11 07:32:56 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa8ec0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xaa000	0x57ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa8e81	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa6f14	0xa7000	False	0.886948271426	data	7.85363185265	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xaa000	0x57ac	0x5800	False	0.964799360795	data	7.88885953367	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb0000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xaa130	0x5164	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0xaf294	0x14	data
RT_VERSION	0xaf2a8	0x318	data
RT_MANIFEST	0xaf5c0	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Kids Mart 2012
Assembly Version	1.0.0.0
InternalName	IClosa.exe
FileVersion	1.0.0.0
CompanyName	Kids Mart
LegalTrademarks
Comments
ProductName	Voroni
ProductVersion	1.0.0.0
FileDescription	Voroni
OriginalFilename	IClosa.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.6212.193.30.2044977411872816766 05/11/22-18:34:53.312719	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49774	1187	192.168.2.6	212.193.30.204
192.168.2.6212.193.30.2044985611872816766 05/11/22-18:36:21.786696	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49856	1187	192.168.2.6	212.193.30.204
192.168.2.6212.193.30.2044983111872816766 05/11/22-18:36:15.708740	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49831	1187	192.168.2.6	212.193.30.204
212.193.30.204192.168.2.61187497802810290 05/11/22-18:35:07.758520	TCP	2810290	ETPRO TROJAN NanoCore RAT Keepalive Response 1	1187	49780	212.193.30.204	192.168.2.6
192.168.2.6212.193.30.2044980511872816766 05/11/22-18:36:01.158778	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49805	1187	192.168.2.6	212.193.30.204
192.168.2.6212.193.30.2044980011872816766 05/11/22-18:35:40.802538	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49800	1187	192.168.2.6	212.193.30.204
192.168.2.6212.193.30.2044977711872816766 05/11/22-18:35:01.955240	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49777	1187	192.168.2.6	212.193.30.204
192.168.2.6212.193.30.2044978711872816766 05/11/22-18:35:14.531508	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49787	1187	192.168.2.6	212.193.30.204
192.168.2.6212.193.30.2044979711872816766 05/11/22-18:35:34.087505	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49797	1187	192.168.2.6	212.193.30.204
192.168.2.6212.193.30.2044986211872816766 05/11/22-18:36:27.889829	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49862	1187	192.168.2.6	212.193.30.204
192.168.2.6212.193.30.2044980911872816766 05/11/22-18:36:07.741009	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49809	1187	192.168.2.6	212.193.30.204
192.168.2.6212.193.30.2044979711872816718 05/11/22-18:35:34.087505	TCP	2816718	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon	49797	1187	192.168.2.6	212.193.30.204
192.168.2.6212.193.30.2044980211872816766 05/11/22-18:35:47.819257	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49802	1187	192.168.2.6	212.193.30.204
212.193.30.204192.168.2.61187498622841753 05/11/22-18:36:36.975115	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	1187	49862	212.193.30.204	192.168.2.6
192.168.2.6212.193.30.2044978011872816766 05/11/22-18:35:07.459686	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49780	1187	192.168.2.6	212.193.30.204
192.168.2.6212.193.30.2044979611872816766 05/11/22-18:35:26.904734	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49796	1187	192.168.2.6	212.193.30.204
192.168.2.6212.193.30.2044978811872816766 05/11/22-18:35:20.778412	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49788	1187	192.168.2.6	212.193.30.204

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 11, 2022 18:34:52.318828106 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.347148895 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.350502968 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.406663895 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.470082998 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.483499050 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.511833906 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.665107012 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.716006041 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.808214903 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.858473063 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.858520031 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.858551025 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.858582020 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.858633995 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.858671904 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.885740995 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.885777950 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.885803938 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.885823965 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.885843992 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.885871887 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.885896921 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.885922909 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.885981083 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.886040926 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.886049032 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.913367987 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.913407087 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.913433075 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.913459063 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.913484097 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.913510084 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.913536072 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.913561106 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.913587093 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.913588047 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.913613081 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.913640976 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.913665056 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.913690090 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.913707018 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.913714886 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.913716078 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.913744926 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.913770914 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.913856983 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.913867950 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.941195011 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.941226006 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.941251993 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.941277981 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.941304922 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.941334963 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.941359997 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.941382885 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.941386938 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.941397905 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.941400051 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.941417933 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.941445112 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.941461086 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.941472054 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.941499949 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.941528082 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.941555977 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.941580057 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.941605091 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.941611052 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.941616058 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.941617966 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.941632986 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.941658974 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.941682100 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.941735029 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.941761017 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.941777945 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.941781044 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.941782951 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.941787958 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.941827059 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.941852093 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.941875935 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.941900969 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.941919088 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.941942930 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.941952944 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.941956997 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.941958904 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.941967964 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.941992044 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.942243099 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.942270041 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.972409010 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.972522020 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.972564936 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.972605944 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.972644091 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.972682953 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.972723007 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.972752094 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.972765923 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.972784996 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.972793102 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.972809076 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.972841024 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.972850084 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.972891092 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.972930908 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.972969055 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.973007917 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.973047018 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.973061085 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.973072052 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.973077059 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.973088026 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.973129988 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.973167896 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.973206997 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.973246098 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.973283052 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.973298073 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.973308086 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.973314047 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.973323107 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.973366976 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.973412037 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.973453999 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.973490953 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.973493099 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.973500013 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.973532915 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.973572969 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.973611116 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.973649025 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.973687887 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.973704100 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.973714113 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.973721981 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.973731041 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.973773003 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.973810911 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.973850965 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.973890066 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.973927021 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.973942041 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.973949909 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.973954916 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.973967075 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.974006891 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.974047899 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.974087954 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.974126101 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.974165916 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.974179029 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.974189043 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.974195004 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.974205971 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.974244118 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.974282980 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.974322081 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.974350929 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.974359989 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:52.974380970 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:52.974642992 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.002288103 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.002340078 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.002383947 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.002420902 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.002424955 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.002466917 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.002507925 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.002547026 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.002587080 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.002618074 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.002626896 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.002629995 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.002667904 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.002672911 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.002713919 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.002753973 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.002793074 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.002830029 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.002867937 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.002897024 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.002904892 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.002909899 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.002909899 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.002953053 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.002994061 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.003031015 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.003070116 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.003108978 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.003137112 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.003148079 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.003184080 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.003189087 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.003190994 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.003232956 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.003272057 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.003300905 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.003313065 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.003319025 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.003355980 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.003395081 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.003434896 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.003473043 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.003510952 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.003535032 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.003546000 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.003549099 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.003555059 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.003596067 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.003621101 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.003638983 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.003676891 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.003730059 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.003752947 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.003794909 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.003832102 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.003859043 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.003874063 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.003914118 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.003951073 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.003988981 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.004026890 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.004059076 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.004066944 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.004067898 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.004072905 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.004111052 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.004149914 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.004190922 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.004230022 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.004301071 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.004339933 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.004344940 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.031342983 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.031450033 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.031497002 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.031537056 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.031577110 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.031614065 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.031619072 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.031636000 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.031658888 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.031698942 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.031738043 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.031776905 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.031831980 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.031841993 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.031848907 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.031852961 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.031872988 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.031912088 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.031950951 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.031970978 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.031991005 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.032012939 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.032032013 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.032074928 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.032114983 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.032154083 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.032192945 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.032231092 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.032243967 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.032250881 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.032254934 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.032270908 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.032311916 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.032355070 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.032397032 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.032433987 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.032489061 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.032495022 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.032499075 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.033399105 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.033443928 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.033483028 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.033523083 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.033561945 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.033598900 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.033602953 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.033632040 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.033646107 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.033646107 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.033687115 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.033726931 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.033763885 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.033766985 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.033806086 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.033844948 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.033883095 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.033885002 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.033895969 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.033926010 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.033967972 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.034007072 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.034045935 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.034065962 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.034075022 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.034086943 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.034126997 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.034142017 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.034166098 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.034204960 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.034235954 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.034264088 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.034303904 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.034327984 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.034348965 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.034388065 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.034426928 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.034466982 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.034523010 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.034526110 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.034532070 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.034537077 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.034563065 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.034600973 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.034641981 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.034682989 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.034719944 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.034759998 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.034770966 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.034778118 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.034782887 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.034800053 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.034837961 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.034878016 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.034918070 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.034956932 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.034970999 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.034976959 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.034997940 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.035037041 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.035074949 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.035114050 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.035151005 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.035170078 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.035178900 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.035182953 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.035191059 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.035231113 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.035270929 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.035311937 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.035370111 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.035377026 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.064729929 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.064780951 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.064820051 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.064862013 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.064903021 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.064943075 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.064965010 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.064982891 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.064985991 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.064990044 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.065025091 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.065066099 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.065108061 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.065148115 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.065190077 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.065200090 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.065205097 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.065208912 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.065232038 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.065269947 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.065309048 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.065350056 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.065391064 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.065431118 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.065438986 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.065445900 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.065449953 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.065469980 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.065510988 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.065550089 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.065587044 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.065624952 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.065664053 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.065670967 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.065676928 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.065680027 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.065706015 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.065871954 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.065913916 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.065953016 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.065972090 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.065979004 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.065992117 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.066023111 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.066061020 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.066088915 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.066101074 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.066140890 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.066267014 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.066273928 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.066282034 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.066314936 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.066358089 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.066400051 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.066405058 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.066437960 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.066477060 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:53.066749096 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.066761017 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.312719107 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:53.396348953 CEST	1187	49774	212.193.30.204	192.168.2.6
May 11, 2022 18:34:54.612854004 CEST	49774	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:59.116914034 CEST	49777	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:59.145973921 CEST	1187	49777	212.193.30.204	192.168.2.6
May 11, 2022 18:34:59.146153927 CEST	49777	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:59.168004036 CEST	49777	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:59.219691038 CEST	1187	49777	212.193.30.204	192.168.2.6
May 11, 2022 18:34:59.220132113 CEST	49777	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:59.248673916 CEST	1187	49777	212.193.30.204	192.168.2.6
May 11, 2022 18:34:59.478050947 CEST	49777	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:59.706001997 CEST	49777	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:34:59.788136959 CEST	1187	49777	212.193.30.204	192.168.2.6
May 11, 2022 18:34:59.987417936 CEST	1187	49777	212.193.30.204	192.168.2.6
May 11, 2022 18:35:00.165898085 CEST	49777	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:00.193500042 CEST	1187	49777	212.193.30.204	192.168.2.6
May 11, 2022 18:35:00.275039911 CEST	49777	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:00.566806078 CEST	49777	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:00.661928892 CEST	1187	49777	212.193.30.204	192.168.2.6
May 11, 2022 18:35:00.734889030 CEST	49777	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:00.818140984 CEST	1187	49777	212.193.30.204	192.168.2.6
May 11, 2022 18:35:00.818239927 CEST	49777	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:00.845796108 CEST	1187	49777	212.193.30.204	192.168.2.6
May 11, 2022 18:35:00.978126049 CEST	49777	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:00.992666006 CEST	49777	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:01.006470919 CEST	1187	49777	212.193.30.204	192.168.2.6
May 11, 2022 18:35:01.068778992 CEST	1187	49777	212.193.30.204	192.168.2.6
May 11, 2022 18:35:01.084474087 CEST	49777	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:01.162576914 CEST	1187	49777	212.193.30.204	192.168.2.6
May 11, 2022 18:35:01.955240011 CEST	49777	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:02.040900946 CEST	1187	49777	212.193.30.204	192.168.2.6
May 11, 2022 18:35:02.409889936 CEST	49777	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:06.613888025 CEST	49780	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:06.641458988 CEST	1187	49780	212.193.30.204	192.168.2.6
May 11, 2022 18:35:06.641680002 CEST	49780	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:06.662918091 CEST	49780	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:06.717088938 CEST	1187	49780	212.193.30.204	192.168.2.6
May 11, 2022 18:35:06.732592106 CEST	49780	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:06.765633106 CEST	1187	49780	212.193.30.204	192.168.2.6
May 11, 2022 18:35:06.806757927 CEST	49780	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:07.064057112 CEST	49780	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:07.148039103 CEST	1187	49780	212.193.30.204	192.168.2.6
May 11, 2022 18:35:07.294928074 CEST	1187	49780	212.193.30.204	192.168.2.6
May 11, 2022 18:35:07.303113937 CEST	49780	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:07.330980062 CEST	1187	49780	212.193.30.204	192.168.2.6
May 11, 2022 18:35:07.332158089 CEST	49780	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:07.359479904 CEST	1187	49780	212.193.30.204	192.168.2.6
May 11, 2022 18:35:07.359657049 CEST	49780	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:07.387305021 CEST	1187	49780	212.193.30.204	192.168.2.6
May 11, 2022 18:35:07.387481928 CEST	49780	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:07.458798885 CEST	1187	49780	212.193.30.204	192.168.2.6
May 11, 2022 18:35:07.459686041 CEST	49780	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:07.537810087 CEST	1187	49780	212.193.30.204	192.168.2.6
May 11, 2022 18:35:07.758519888 CEST	1187	49780	212.193.30.204	192.168.2.6
May 11, 2022 18:35:07.806967974 CEST	49780	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:08.531812906 CEST	49780	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:12.702718019 CEST	49787	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:12.731461048 CEST	1187	49787	212.193.30.204	192.168.2.6
May 11, 2022 18:35:12.731584072 CEST	49787	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:12.732144117 CEST	49787	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:12.790414095 CEST	1187	49787	212.193.30.204	192.168.2.6
May 11, 2022 18:35:12.790841103 CEST	49787	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:12.818998098 CEST	1187	49787	212.193.30.204	192.168.2.6
May 11, 2022 18:35:12.869935989 CEST	49787	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:13.440486908 CEST	49787	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:13.521569967 CEST	1187	49787	212.193.30.204	192.168.2.6
May 11, 2022 18:35:13.581371069 CEST	49787	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:13.662638903 CEST	1187	49787	212.193.30.204	192.168.2.6
May 11, 2022 18:35:13.666134119 CEST	1187	49787	212.193.30.204	192.168.2.6
May 11, 2022 18:35:13.667262077 CEST	49787	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:13.695419073 CEST	1187	49787	212.193.30.204	192.168.2.6
May 11, 2022 18:35:13.717681885 CEST	49787	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:13.745349884 CEST	1187	49787	212.193.30.204	192.168.2.6
May 11, 2022 18:35:13.745573044 CEST	49787	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:13.773474932 CEST	1187	49787	212.193.30.204	192.168.2.6
May 11, 2022 18:35:13.857007027 CEST	49787	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:13.927675962 CEST	1187	49787	212.193.30.204	192.168.2.6
May 11, 2022 18:35:14.531507969 CEST	49787	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:14.615192890 CEST	1187	49787	212.193.30.204	192.168.2.6
May 11, 2022 18:35:15.598047972 CEST	49787	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:19.754311085 CEST	49788	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:19.784137964 CEST	1187	49788	212.193.30.204	192.168.2.6
May 11, 2022 18:35:19.784286976 CEST	49788	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:19.785026073 CEST	49788	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:19.839943886 CEST	1187	49788	212.193.30.204	192.168.2.6
May 11, 2022 18:35:19.840291023 CEST	49788	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:19.868587971 CEST	1187	49788	212.193.30.204	192.168.2.6
May 11, 2022 18:35:19.979793072 CEST	49788	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:20.198447943 CEST	49788	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:20.287462950 CEST	1187	49788	212.193.30.204	192.168.2.6
May 11, 2022 18:35:20.436196089 CEST	1187	49788	212.193.30.204	192.168.2.6
May 11, 2022 18:35:20.440891027 CEST	49788	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:20.469266891 CEST	1187	49788	212.193.30.204	192.168.2.6
May 11, 2022 18:35:20.573623896 CEST	49788	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:20.591403961 CEST	49788	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:20.619919062 CEST	1187	49788	212.193.30.204	192.168.2.6
May 11, 2022 18:35:20.620090008 CEST	49788	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:20.648072958 CEST	1187	49788	212.193.30.204	192.168.2.6
May 11, 2022 18:35:20.648209095 CEST	49788	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:20.740024090 CEST	1187	49788	212.193.30.204	192.168.2.6
May 11, 2022 18:35:20.778412104 CEST	49788	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:20.865030050 CEST	1187	49788	212.193.30.204	192.168.2.6
May 11, 2022 18:35:21.811824083 CEST	49788	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:25.881808043 CEST	49796	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:25.909548998 CEST	1187	49796	212.193.30.204	192.168.2.6
May 11, 2022 18:35:25.909790993 CEST	49796	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:25.910413027 CEST	49796	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:25.984268904 CEST	1187	49796	212.193.30.204	192.168.2.6
May 11, 2022 18:35:25.984652996 CEST	49796	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:26.013712883 CEST	1187	49796	212.193.30.204	192.168.2.6
May 11, 2022 18:35:26.199053049 CEST	49796	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:26.207953930 CEST	49796	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:26.289089918 CEST	1187	49796	212.193.30.204	192.168.2.6
May 11, 2022 18:35:26.450934887 CEST	1187	49796	212.193.30.204	192.168.2.6
May 11, 2022 18:35:26.479362965 CEST	49796	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:26.506863117 CEST	1187	49796	212.193.30.204	192.168.2.6
May 11, 2022 18:35:26.528264999 CEST	49796	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:26.558067083 CEST	1187	49796	212.193.30.204	192.168.2.6
May 11, 2022 18:35:26.558155060 CEST	49796	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:26.587820053 CEST	1187	49796	212.193.30.204	192.168.2.6
May 11, 2022 18:35:26.674671888 CEST	49796	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:26.756073952 CEST	1187	49796	212.193.30.204	192.168.2.6
May 11, 2022 18:35:26.904733896 CEST	49796	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:26.990284920 CEST	1187	49796	212.193.30.204	192.168.2.6
May 11, 2022 18:35:28.013355017 CEST	49796	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:32.334022045 CEST	49797	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:32.361392975 CEST	1187	49797	212.193.30.204	192.168.2.6
May 11, 2022 18:35:32.361572027 CEST	49797	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:32.362296104 CEST	49797	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:32.408912897 CEST	1187	49797	212.193.30.204	192.168.2.6
May 11, 2022 18:35:32.434271097 CEST	49797	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:32.463666916 CEST	1187	49797	212.193.30.204	192.168.2.6
May 11, 2022 18:35:32.512111902 CEST	49797	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:32.729870081 CEST	49797	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:32.818126917 CEST	1187	49797	212.193.30.204	192.168.2.6
May 11, 2022 18:35:32.971138000 CEST	1187	49797	212.193.30.204	192.168.2.6
May 11, 2022 18:35:32.973344088 CEST	49797	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:33.000819921 CEST	1187	49797	212.193.30.204	192.168.2.6
May 11, 2022 18:35:33.002198935 CEST	49797	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:33.032177925 CEST	1187	49797	212.193.30.204	192.168.2.6
May 11, 2022 18:35:33.032371044 CEST	49797	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:33.061108112 CEST	1187	49797	212.193.30.204	192.168.2.6
May 11, 2022 18:35:33.061242104 CEST	49797	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:33.147842884 CEST	1187	49797	212.193.30.204	192.168.2.6
May 11, 2022 18:35:33.148039103 CEST	49797	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:33.240230083 CEST	1187	49797	212.193.30.204	192.168.2.6
May 11, 2022 18:35:34.087505102 CEST	49797	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:34.178932905 CEST	1187	49797	212.193.30.204	192.168.2.6
May 11, 2022 18:35:35.118855953 CEST	49797	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:39.202826977 CEST	49800	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:39.229983091 CEST	1187	49800	212.193.30.204	192.168.2.6
May 11, 2022 18:35:39.230205059 CEST	49800	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:39.230822086 CEST	49800	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:39.282938957 CEST	1187	49800	212.193.30.204	192.168.2.6
May 11, 2022 18:35:39.283291101 CEST	49800	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:39.311261892 CEST	1187	49800	212.193.30.204	192.168.2.6
May 11, 2022 18:35:39.418994904 CEST	49800	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:39.503129005 CEST	49800	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:39.583837032 CEST	1187	49800	212.193.30.204	192.168.2.6
May 11, 2022 18:35:39.770711899 CEST	1187	49800	212.193.30.204	192.168.2.6
May 11, 2022 18:35:39.830240965 CEST	49800	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:39.857321978 CEST	1187	49800	212.193.30.204	192.168.2.6
May 11, 2022 18:35:39.857505083 CEST	49800	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:39.943383932 CEST	1187	49800	212.193.30.204	192.168.2.6
May 11, 2022 18:35:39.943483114 CEST	49800	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:39.970733881 CEST	1187	49800	212.193.30.204	192.168.2.6
May 11, 2022 18:35:40.028418064 CEST	49800	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:40.055511951 CEST	1187	49800	212.193.30.204	192.168.2.6
May 11, 2022 18:35:40.237708092 CEST	49800	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:40.264756918 CEST	1187	49800	212.193.30.204	192.168.2.6
May 11, 2022 18:35:40.419068098 CEST	49800	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:40.541304111 CEST	49800	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:40.632296085 CEST	1187	49800	212.193.30.204	192.168.2.6
May 11, 2022 18:35:40.802537918 CEST	49800	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:40.880853891 CEST	1187	49800	212.193.30.204	192.168.2.6
May 11, 2022 18:35:41.787714958 CEST	49800	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:46.749486923 CEST	49802	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:46.776571035 CEST	1187	49802	212.193.30.204	192.168.2.6
May 11, 2022 18:35:46.776705027 CEST	49802	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:46.793487072 CEST	49802	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:46.838126898 CEST	1187	49802	212.193.30.204	192.168.2.6
May 11, 2022 18:35:46.843944073 CEST	49802	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:46.928719044 CEST	1187	49802	212.193.30.204	192.168.2.6
May 11, 2022 18:35:46.928836107 CEST	49802	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:46.956785917 CEST	1187	49802	212.193.30.204	192.168.2.6
May 11, 2022 18:35:47.015757084 CEST	49802	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:47.363549948 CEST	49802	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:47.444308043 CEST	1187	49802	212.193.30.204	192.168.2.6
May 11, 2022 18:35:47.608374119 CEST	1187	49802	212.193.30.204	192.168.2.6
May 11, 2022 18:35:47.612806082 CEST	49802	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:47.639962912 CEST	1187	49802	212.193.30.204	192.168.2.6
May 11, 2022 18:35:47.649182081 CEST	49802	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:47.681399107 CEST	1187	49802	212.193.30.204	192.168.2.6
May 11, 2022 18:35:47.681822062 CEST	49802	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:47.709088087 CEST	1187	49802	212.193.30.204	192.168.2.6
May 11, 2022 18:35:47.735922098 CEST	49802	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:47.818072081 CEST	1187	49802	212.193.30.204	192.168.2.6
May 11, 2022 18:35:47.819257021 CEST	49802	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:47.912220001 CEST	1187	49802	212.193.30.204	192.168.2.6
May 11, 2022 18:35:48.365670919 CEST	1187	49802	212.193.30.204	192.168.2.6
May 11, 2022 18:35:48.561168909 CEST	49802	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:48.802583933 CEST	49802	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:59.400696993 CEST	49805	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:59.429940939 CEST	1187	49805	212.193.30.204	192.168.2.6
May 11, 2022 18:35:59.430236101 CEST	49805	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:59.449424982 CEST	49805	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:59.496915102 CEST	1187	49805	212.193.30.204	192.168.2.6
May 11, 2022 18:35:59.510375977 CEST	49805	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:59.537942886 CEST	1187	49805	212.193.30.204	192.168.2.6
May 11, 2022 18:35:59.655728102 CEST	49805	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:59.849797010 CEST	49805	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:35:59.943290949 CEST	1187	49805	212.193.30.204	192.168.2.6
May 11, 2022 18:36:00.081893921 CEST	49805	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:00.117209911 CEST	1187	49805	212.193.30.204	192.168.2.6
May 11, 2022 18:36:00.118230104 CEST	49805	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:00.145723104 CEST	1187	49805	212.193.30.204	192.168.2.6
May 11, 2022 18:36:00.146924973 CEST	49805	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:00.175451994 CEST	1187	49805	212.193.30.204	192.168.2.6
May 11, 2022 18:36:00.178687096 CEST	49805	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:00.210057974 CEST	1187	49805	212.193.30.204	192.168.2.6
May 11, 2022 18:36:00.237211943 CEST	49805	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:00.318397045 CEST	1187	49805	212.193.30.204	192.168.2.6
May 11, 2022 18:36:01.158777952 CEST	49805	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:01.255883932 CEST	1187	49805	212.193.30.204	192.168.2.6
May 11, 2022 18:36:02.228724003 CEST	49805	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:06.861155987 CEST	49809	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:06.888530970 CEST	1187	49809	212.193.30.204	192.168.2.6
May 11, 2022 18:36:06.893029928 CEST	49809	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:06.927460909 CEST	49809	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:06.982242107 CEST	1187	49809	212.193.30.204	192.168.2.6
May 11, 2022 18:36:07.013257980 CEST	49809	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:07.041105986 CEST	1187	49809	212.193.30.204	192.168.2.6
May 11, 2022 18:36:07.159815073 CEST	49809	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:07.254720926 CEST	49809	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:07.333745003 CEST	1187	49809	212.193.30.204	192.168.2.6
May 11, 2022 18:36:07.552352905 CEST	1187	49809	212.193.30.204	192.168.2.6
May 11, 2022 18:36:07.556086063 CEST	49809	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:07.587785959 CEST	1187	49809	212.193.30.204	192.168.2.6
May 11, 2022 18:36:07.589868069 CEST	49809	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:07.618458033 CEST	1187	49809	212.193.30.204	192.168.2.6
May 11, 2022 18:36:07.619302988 CEST	49809	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:07.647322893 CEST	1187	49809	212.193.30.204	192.168.2.6
May 11, 2022 18:36:07.652465105 CEST	49809	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:07.740920067 CEST	1187	49809	212.193.30.204	192.168.2.6
May 11, 2022 18:36:07.741008997 CEST	49809	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:07.818234921 CEST	1187	49809	212.193.30.204	192.168.2.6
May 11, 2022 18:36:08.707731962 CEST	49809	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:13.291997910 CEST	49831	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:13.320324898 CEST	1187	49831	212.193.30.204	192.168.2.6
May 11, 2022 18:36:13.320492029 CEST	49831	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:13.405330896 CEST	49831	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:13.455646038 CEST	1187	49831	212.193.30.204	192.168.2.6
May 11, 2022 18:36:13.490962982 CEST	49831	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:13.519928932 CEST	1187	49831	212.193.30.204	192.168.2.6
May 11, 2022 18:36:13.660382986 CEST	49831	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:14.695806026 CEST	49831	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:14.776144028 CEST	1187	49831	212.193.30.204	192.168.2.6
May 11, 2022 18:36:14.899765968 CEST	49831	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:14.994669914 CEST	1187	49831	212.193.30.204	192.168.2.6
May 11, 2022 18:36:15.137315989 CEST	1187	49831	212.193.30.204	192.168.2.6
May 11, 2022 18:36:15.157198906 CEST	49831	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:15.186881065 CEST	1187	49831	212.193.30.204	192.168.2.6
May 11, 2022 18:36:15.217269897 CEST	49831	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:15.244914055 CEST	1187	49831	212.193.30.204	192.168.2.6
May 11, 2022 18:36:15.245016098 CEST	49831	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:15.272883892 CEST	1187	49831	212.193.30.204	192.168.2.6
May 11, 2022 18:36:15.457429886 CEST	49831	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:15.708739996 CEST	49831	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:15.788067102 CEST	1187	49831	212.193.30.204	192.168.2.6
May 11, 2022 18:36:16.758019924 CEST	49831	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:20.827016115 CEST	49856	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:20.854928970 CEST	1187	49856	212.193.30.204	192.168.2.6
May 11, 2022 18:36:20.855035067 CEST	49856	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:20.855640888 CEST	49856	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:20.943466902 CEST	1187	49856	212.193.30.204	192.168.2.6
May 11, 2022 18:36:20.948429108 CEST	1187	49856	212.193.30.204	192.168.2.6
May 11, 2022 18:36:20.961394072 CEST	49856	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:20.989165068 CEST	1187	49856	212.193.30.204	192.168.2.6
May 11, 2022 18:36:21.036021948 CEST	49856	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:21.686296940 CEST	49856	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:21.772347927 CEST	1187	49856	212.193.30.204	192.168.2.6
May 11, 2022 18:36:21.786695957 CEST	49856	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:21.865462065 CEST	1187	49856	212.193.30.204	192.168.2.6
May 11, 2022 18:36:21.954392910 CEST	1187	49856	212.193.30.204	192.168.2.6
May 11, 2022 18:36:21.976938963 CEST	49856	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:22.005465031 CEST	1187	49856	212.193.30.204	192.168.2.6
May 11, 2022 18:36:22.006618977 CEST	49856	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:22.034431934 CEST	1187	49856	212.193.30.204	192.168.2.6
May 11, 2022 18:36:22.034506083 CEST	49856	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:22.065134048 CEST	1187	49856	212.193.30.204	192.168.2.6
May 11, 2022 18:36:22.114190102 CEST	49856	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:22.445096970 CEST	49856	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:22.522725105 CEST	1187	49856	212.193.30.204	192.168.2.6
May 11, 2022 18:36:22.818020105 CEST	49856	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:26.894062996 CEST	49862	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:26.921184063 CEST	1187	49862	212.193.30.204	192.168.2.6
May 11, 2022 18:36:26.921649933 CEST	49862	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:26.922666073 CEST	49862	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:26.975282907 CEST	1187	49862	212.193.30.204	192.168.2.6
May 11, 2022 18:36:26.975800037 CEST	49862	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:27.005143881 CEST	1187	49862	212.193.30.204	192.168.2.6
May 11, 2022 18:36:27.052164078 CEST	49862	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:27.371881008 CEST	49862	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:27.459110975 CEST	1187	49862	212.193.30.204	192.168.2.6
May 11, 2022 18:36:27.632469893 CEST	1187	49862	212.193.30.204	192.168.2.6
May 11, 2022 18:36:27.660146952 CEST	49862	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:27.693468094 CEST	1187	49862	212.193.30.204	192.168.2.6
May 11, 2022 18:36:27.697329998 CEST	49862	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:27.730413914 CEST	1187	49862	212.193.30.204	192.168.2.6
May 11, 2022 18:36:27.730556011 CEST	49862	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:27.760271072 CEST	1187	49862	212.193.30.204	192.168.2.6
May 11, 2022 18:36:27.802133083 CEST	49862	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:27.889828920 CEST	49862	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:27.976249933 CEST	1187	49862	212.193.30.204	192.168.2.6
May 11, 2022 18:36:27.977087021 CEST	49862	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:28.054768085 CEST	1187	49862	212.193.30.204	192.168.2.6
May 11, 2022 18:36:28.873137951 CEST	1187	49862	212.193.30.204	192.168.2.6
May 11, 2022 18:36:28.927246094 CEST	49862	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:31.963120937 CEST	1187	49862	212.193.30.204	192.168.2.6
May 11, 2022 18:36:32.036915064 CEST	49862	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:36.975115061 CEST	1187	49862	212.193.30.204	192.168.2.6
May 11, 2022 18:36:37.131532907 CEST	49862	1187	192.168.2.6	212.193.30.204
May 11, 2022 18:36:37.159081936 CEST	1187	49862	212.193.30.204	192.168.2.6
May 11, 2022 18:36:37.240454912 CEST	49862	1187	192.168.2.6	212.193.30.204

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 11, 2022 18:34:52.287666082 CEST	51748	53	192.168.2.6	8.8.8.8
May 11, 2022 18:34:52.306927919 CEST	53	51748	8.8.8.8	192.168.2.6
May 11, 2022 18:34:59.093965054 CEST	50958	53	192.168.2.6	8.8.8.8
May 11, 2022 18:34:59.111686945 CEST	53	50958	8.8.8.8	192.168.2.6
May 11, 2022 18:35:06.523456097 CEST	56550	53	192.168.2.6	8.8.8.8
May 11, 2022 18:35:06.545044899 CEST	53	56550	8.8.8.8	192.168.2.6
May 11, 2022 18:35:12.681927919 CEST	57037	53	192.168.2.6	8.8.8.8
May 11, 2022 18:35:12.701590061 CEST	53	57037	8.8.8.8	192.168.2.6
May 11, 2022 18:35:19.731717110 CEST	60609	53	192.168.2.6	8.8.8.8
May 11, 2022 18:35:19.753113031 CEST	53	60609	8.8.8.8	192.168.2.6
May 11, 2022 18:35:25.857225895 CEST	52089	53	192.168.2.6	8.8.8.8
May 11, 2022 18:35:25.877197981 CEST	53	52089	8.8.8.8	192.168.2.6
May 11, 2022 18:35:32.226279974 CEST	54489	53	192.168.2.6	8.8.8.8
May 11, 2022 18:35:32.245639086 CEST	53	54489	8.8.8.8	192.168.2.6
May 11, 2022 18:35:39.179836988 CEST	53829	53	192.168.2.6	8.8.8.8
May 11, 2022 18:35:39.201423883 CEST	53	53829	8.8.8.8	192.168.2.6
May 11, 2022 18:35:46.664163113 CEST	58689	53	192.168.2.6	8.8.8.8
May 11, 2022 18:35:46.681548119 CEST	53	58689	8.8.8.8	192.168.2.6
May 11, 2022 18:35:58.912822962 CEST	49520	53	192.168.2.6	8.8.8.8
May 11, 2022 18:35:58.932028055 CEST	53	49520	8.8.8.8	192.168.2.6
May 11, 2022 18:36:06.740097046 CEST	52965	53	192.168.2.6	8.8.8.8
May 11, 2022 18:36:06.761792898 CEST	53	52965	8.8.8.8	192.168.2.6
May 11, 2022 18:36:12.778187037 CEST	60238	53	192.168.2.6	8.8.8.8
May 11, 2022 18:36:12.797620058 CEST	53	60238	8.8.8.8	192.168.2.6
May 11, 2022 18:36:20.803953886 CEST	52225	53	192.168.2.6	8.8.8.8
May 11, 2022 18:36:20.825550079 CEST	53	52225	8.8.8.8	192.168.2.6
May 11, 2022 18:36:26.871653080 CEST	57669	53	192.168.2.6	8.8.8.8
May 11, 2022 18:36:26.889264107 CEST	53	57669	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 11, 2022 18:34:52.287666082 CEST	192.168.2.6	8.8.8.8	0x6979	Standard query (0)	deranano2.ddns.net	A (IP address)	IN (0x0001)
May 11, 2022 18:34:59.093965054 CEST	192.168.2.6	8.8.8.8	0x581b	Standard query (0)	deranano2.ddns.net	A (IP address)	IN (0x0001)
May 11, 2022 18:35:06.523456097 CEST	192.168.2.6	8.8.8.8	0xfcc6	Standard query (0)	deranano2.ddns.net	A (IP address)	IN (0x0001)
May 11, 2022 18:35:12.681927919 CEST	192.168.2.6	8.8.8.8	0xf6fc	Standard query (0)	deranano2.ddns.net	A (IP address)	IN (0x0001)
May 11, 2022 18:35:19.731717110 CEST	192.168.2.6	8.8.8.8	0xbff	Standard query (0)	deranano2.ddns.net	A (IP address)	IN (0x0001)
May 11, 2022 18:35:25.857225895 CEST	192.168.2.6	8.8.8.8	0x263	Standard query (0)	deranano2.ddns.net	A (IP address)	IN (0x0001)
May 11, 2022 18:35:32.226279974 CEST	192.168.2.6	8.8.8.8	0x42ba	Standard query (0)	deranano2.ddns.net	A (IP address)	IN (0x0001)
May 11, 2022 18:35:39.179836988 CEST	192.168.2.6	8.8.8.8	0xcda1	Standard query (0)	deranano2.ddns.net	A (IP address)	IN (0x0001)
May 11, 2022 18:35:46.664163113 CEST	192.168.2.6	8.8.8.8	0x9bea	Standard query (0)	deranano2.ddns.net	A (IP address)	IN (0x0001)
May 11, 2022 18:35:58.912822962 CEST	192.168.2.6	8.8.8.8	0xd6ec	Standard query (0)	deranano2.ddns.net	A (IP address)	IN (0x0001)
May 11, 2022 18:36:06.740097046 CEST	192.168.2.6	8.8.8.8	0x46f8	Standard query (0)	deranano2.ddns.net	A (IP address)	IN (0x0001)
May 11, 2022 18:36:12.778187037 CEST	192.168.2.6	8.8.8.8	0xb4b2	Standard query (0)	deranano2.ddns.net	A (IP address)	IN (0x0001)
May 11, 2022 18:36:20.803953886 CEST	192.168.2.6	8.8.8.8	0xa1b8	Standard query (0)	deranano2.ddns.net	A (IP address)	IN (0x0001)
May 11, 2022 18:36:26.871653080 CEST	192.168.2.6	8.8.8.8	0x8cf	Standard query (0)	deranano2.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
May 11, 2022 18:34:52.306927919 CEST	8.8.8.8	192.168.2.6	0x6979	No error (0)	deranano2.ddns.net	212.193.30.204	A (IP address)	IN (0x0001)
May 11, 2022 18:34:59.111686945 CEST	8.8.8.8	192.168.2.6	0x581b	No error (0)	deranano2.ddns.net	212.193.30.204	A (IP address)	IN (0x0001)
May 11, 2022 18:35:06.545044899 CEST	8.8.8.8	192.168.2.6	0xfcc6	No error (0)	deranano2.ddns.net	212.193.30.204	A (IP address)	IN (0x0001)
May 11, 2022 18:35:12.701590061 CEST	8.8.8.8	192.168.2.6	0xf6fc	No error (0)	deranano2.ddns.net	212.193.30.204	A (IP address)	IN (0x0001)
May 11, 2022 18:35:19.753113031 CEST	8.8.8.8	192.168.2.6	0xbff	No error (0)	deranano2.ddns.net	212.193.30.204	A (IP address)	IN (0x0001)
May 11, 2022 18:35:25.877197981 CEST	8.8.8.8	192.168.2.6	0x263	No error (0)	deranano2.ddns.net	212.193.30.204	A (IP address)	IN (0x0001)
May 11, 2022 18:35:32.245639086 CEST	8.8.8.8	192.168.2.6	0x42ba	No error (0)	deranano2.ddns.net	212.193.30.204	A (IP address)	IN (0x0001)
May 11, 2022 18:35:39.201423883 CEST	8.8.8.8	192.168.2.6	0xcda1	No error (0)	deranano2.ddns.net	212.193.30.204	A (IP address)	IN (0x0001)
May 11, 2022 18:35:46.681548119 CEST	8.8.8.8	192.168.2.6	0x9bea	No error (0)	deranano2.ddns.net	212.193.30.204	A (IP address)	IN (0x0001)
May 11, 2022 18:35:58.932028055 CEST	8.8.8.8	192.168.2.6	0xd6ec	No error (0)	deranano2.ddns.net	212.193.30.204	A (IP address)	IN (0x0001)
May 11, 2022 18:36:06.761792898 CEST	8.8.8.8	192.168.2.6	0x46f8	No error (0)	deranano2.ddns.net	212.193.30.204	A (IP address)	IN (0x0001)
May 11, 2022 18:36:12.797620058 CEST	8.8.8.8	192.168.2.6	0xb4b2	No error (0)	deranano2.ddns.net	212.193.30.204	A (IP address)	IN (0x0001)
May 11, 2022 18:36:20.825550079 CEST	8.8.8.8	192.168.2.6	0xa1b8	No error (0)	deranano2.ddns.net	212.193.30.204	A (IP address)	IN (0x0001)
May 11, 2022 18:36:26.889264107 CEST	8.8.8.8	192.168.2.6	0x8cf	No error (0)	deranano2.ddns.net	212.193.30.204	A (IP address)	IN (0x0001)

Target ID:	1
Start time:	18:34:24
Start date:	11/05/2022
Path:	C:\Users\user\Desktop\QUOTATION.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\QUOTATION.exe"
Imagebase:	0x100000
File size:	707584 bytes
MD5 hash:	DBFFB4682E330D635295CCDD92FE99C4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.416586877.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.418666280.00000000035CB000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.418666280.00000000035CB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.418666280.00000000035CB000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Show Windows behavior

Target ID:	5
Start time:	18:34:44
Start date:	11/05/2022
Path:	C:\Users\user\Desktop\QUOTATION.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\QUOTATION.exe
Imagebase:	0x650000
File size:	707584 bytes
MD5 hash:	DBFFB4682E330D635295CCDD92FE99C4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.641608734.0000000006B90000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.641608734.0000000006B90000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.641608734.0000000006B90000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000000.411957545.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000000.411957545.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000000.411957545.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.641634528.0000000006BB0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.641634528.0000000006BB0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.641634528.0000000006BB0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: NanoCore, Description: unknown, Source: 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.641805213.0000000006EA0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.641805213.0000000006EA0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.641805213.0000000006EA0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.641707073.0000000006D20000.00000004.00000001.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.641707073.0000000006D20000.00000004.00000001.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.641707073.0000000006D20000.00000004.00000001.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.638035787.0000000003B21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.641622424.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.641622424.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.641622424.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000000.411127213.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000000.411127213.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000000.411127213.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.630920607.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.630920607.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.630920607.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.641872775.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.641872775.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.641872775.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.641519626.0000000006B40000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.641519626.0000000006B40000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.641519626.0000000006B40000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: NanoCore, Description: unknown, Source: 00000005.00000002.640012845.0000000003D4E000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.641679892.0000000006D00000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.641679892.0000000006D00000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.641679892.0000000006D00000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.633949267.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.633949267.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: NanoCore, Description: unknown, Source: 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.641594280.0000000006B80000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.641594280.0000000006B80000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.641594280.0000000006B80000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.640953344.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.640953344.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.640953344.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.641582210.0000000006B70000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.641582210.0000000006B70000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.641582210.0000000006B70000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000000.413349942.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000000.413349942.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000000.413349942.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.641782260.0000000006E90000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.641782260.0000000006E90000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.641782260.0000000006E90000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.641142160.0000000005ED0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.641142160.0000000005ED0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.641142160.0000000005ED0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000000.412616907.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000000.412616907.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000000.412616907.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	9.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	79
Total number of Limit Nodes:	3

Executed Functions

Function 00B19E30 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00B1A076

Memory Dump Source

Source File: 00000001.00000002.416122099.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_QUOTATION.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f428946863b910df3d42805357b006d357824c27ffb15d6b42673c41f0601c37
Instruction ID: 8a48ccebb5fd9375974deb9011f8a4b68623e13479a3b550ece3d55f3036ab6b
Opcode Fuzzy Hash: f428946863b910df3d42805357b006d357824c27ffb15d6b42673c41f0601c37
Instruction Fuzzy Hash: 66713470A00B458FDB24CF2AD05579ABBF1FF89304F50896DE44ADBA40D774E989CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00B1B69C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B1C326,?,?,?,?,?), ref: 00B1C3E7

Memory Dump Source

Source File: 00000001.00000002.416122099.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_QUOTATION.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9ff66c1e73d8d3681170176cef404e228273ac66a571430b167a3da30266dbc6
Instruction ID: 97d360e705751db1bc882eda502c569db03519c6afdeb68cd5eced6bc9329434
Opcode Fuzzy Hash: 9ff66c1e73d8d3681170176cef404e228273ac66a571430b167a3da30266dbc6
Instruction Fuzzy Hash: D721E3B59042499FDB10CF9AD584ADEBBF4EB48324F14846AE914A3310D374A994CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B1C358 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B1C326,?,?,?,?,?), ref: 00B1C3E7

Memory Dump Source

Source File: 00000001.00000002.416122099.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_QUOTATION.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e343700f4ea663eca2000a810d7a8e0a8d9c332548e3d40c85832f0cfb121594
Instruction ID: ac695125e56156c7787fe0517425ec3393d2c664fdbaff4a3fdfbd690129e9a3
Opcode Fuzzy Hash: e343700f4ea663eca2000a810d7a8e0a8d9c332548e3d40c85832f0cfb121594
Instruction Fuzzy Hash: 1821E3B59002499FDB10CFAAD584ADEFFF4FB48324F14845AE924A7310D374A995CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B198A0 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B1A0F1,00000800,00000000,00000000), ref: 00B1A302

Memory Dump Source

Source File: 00000001.00000002.416122099.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_QUOTATION.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 166870b306ffd7ec19c2f37aa97009a45856409e8548b03905708d48f10f6602
Instruction ID: 239b96cfba55d32b499f91b272a2ae58888cbd2f713fe7d33ca7402ae0063910
Opcode Fuzzy Hash: 166870b306ffd7ec19c2f37aa97009a45856409e8548b03905708d48f10f6602
Instruction Fuzzy Hash: DB1106B29043099FDB10CF9AD544ADEFBF4EB48324F14846AD415A7200C375A985CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B1A290 Relevance: 1.6, APIs: 1, Instructions: 53
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B1A0F1,00000800,00000000,00000000), ref: 00B1A302

Memory Dump Source

Source File: 00000001.00000002.416122099.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_QUOTATION.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 901bc3414dfd6b87a6c4be94de9d423d1c3befcc5969b6ab1b8342014940473c
Instruction ID: 6831f3093d15c403ec2eb7c81906f50c8d498041582dab8cbe62bb2663f9a877
Opcode Fuzzy Hash: 901bc3414dfd6b87a6c4be94de9d423d1c3befcc5969b6ab1b8342014940473c
Instruction Fuzzy Hash: 831114B2D043498FDB10CFAAD444ADEFBF4EB48324F15856AD469A7200C374A985CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B1A009 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00B1A076

Memory Dump Source

Source File: 00000001.00000002.416122099.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_QUOTATION.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: fd2fcf3fa0aa13be7bfdaa6ecaa1bcc6ada97437653d902e4acc918f92a06aea
Instruction ID: 491aac5d8c4f4dd77e283286020d90580b0063c233c7297d369dd1461d6a61df
Opcode Fuzzy Hash: fd2fcf3fa0aa13be7bfdaa6ecaa1bcc6ada97437653d902e4acc918f92a06aea
Instruction Fuzzy Hash: BD1104B1C016498FDB10CF9AD444BDEFBF4EB49324F10856AD829A7600C375A58ACFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B1A010 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00B1A076

Memory Dump Source

Source File: 00000001.00000002.416122099.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_QUOTATION.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b8d203c3509d4e3921f6685915ea8565c71ef12a3ada6d7ba0228c24a45810c1
Instruction ID: 0221f694185f8fa29778634e74d418040996648653394ecf76c32fddfdd4a248
Opcode Fuzzy Hash: b8d203c3509d4e3921f6685915ea8565c71ef12a3ada6d7ba0228c24a45810c1
Instruction Fuzzy Hash: 471113B1C006498FCB10CF9AC448BDEFBF4EB88324F10855AD829B7600C375A589CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0083D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.415628982.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_83d000_QUOTATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02ee4af0b08e791b2eda805907a97fdb75809abd2dc8ad5a4915daaa94a5d54e
Instruction ID: 6e8978eb0af2b1d2ea98dc59a3e93abc2b6e21c738b160d848f34282a797326d
Opcode Fuzzy Hash: 02ee4af0b08e791b2eda805907a97fdb75809abd2dc8ad5a4915daaa94a5d54e
Instruction Fuzzy Hash: EC2124B1504344DFDB01DF00E9C0B26BB65FBC4328F248568E9058B246C336D856C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 0083D3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.415628982.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_83d000_QUOTATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e7d002541c633feb46689234a1bb2e62d1b318be325b33f1dec39f9762d77a4
Instruction ID: 4f21addc19b30f0657e34230ab0b66e023513d112addc1b74b8c5f443172816c
Opcode Fuzzy Hash: 6e7d002541c633feb46689234a1bb2e62d1b318be325b33f1dec39f9762d77a4
Instruction Fuzzy Hash: FE21F5B2504344DFDB15DF10E9C0B26BB65FBD4328F24C569E9098B246C33AE856D7E2

Uniqueness

Uniqueness Score: -1.00%

Function 0084D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.415655493.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_84d000_QUOTATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20727b25bf76346830efe2164ed8b2668274bb59327f1ad004f885da1ee76f9d
Instruction ID: d898c4fc3bd3e30643f89f7859f0fdc204c452da01ed479ba0202688b296e740
Opcode Fuzzy Hash: 20727b25bf76346830efe2164ed8b2668274bb59327f1ad004f885da1ee76f9d
Instruction Fuzzy Hash: 0D21F975608348DFDB15DF10D9C0B26BBA5FB84318F24CA6DE9099B346C37AE846CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0084D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.415655493.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_84d000_QUOTATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a31d5aee3854306f5a10a56051c19f5aeea930d456ef0a9d08ca46ca07e9371
Instruction ID: 69f4e80dce24abd8837a10c037c931bf2231bb966e5f47f3a5c72734742f0105
Opcode Fuzzy Hash: 0a31d5aee3854306f5a10a56051c19f5aeea930d456ef0a9d08ca46ca07e9371
Instruction Fuzzy Hash: B821D775508748DFDB14DF14D9C4B16BB65FB84328F24C969E9098B346C33AD847CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0083D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.415628982.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_83d000_QUOTATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e12181f863a64cfe501b52ed0dc6072a2b21c790c3d1261feacc9d3857e76c6
Instruction ID: c839012f0d18c463c1b9189110ef34062cc39e996e9c09b58b8a148d13db6bed
Opcode Fuzzy Hash: 9e12181f863a64cfe501b52ed0dc6072a2b21c790c3d1261feacc9d3857e76c6
Instruction Fuzzy Hash: BD11B176904384CFCB12CF14D5C4B16BF72FB94324F24C6A9D8054B656C336D85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0083D3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.415628982.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_83d000_QUOTATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e12181f863a64cfe501b52ed0dc6072a2b21c790c3d1261feacc9d3857e76c6
Instruction ID: a4606f18cfe4eacd0e0ccfde3ac22b8172df3c52a56bd4dd3efc80ba11d310a3
Opcode Fuzzy Hash: 9e12181f863a64cfe501b52ed0dc6072a2b21c790c3d1261feacc9d3857e76c6
Instruction Fuzzy Hash: 69118176504284DFCB16CF10D5C4B16BF71FB94324F24C6A9D8454B656C33AE85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0084D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.415655493.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_84d000_QUOTATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151ebce1a8b1bb49a373537606f5c99241a5b55cc1d685712532943faccb752d
Instruction ID: 4468654d56db7566f7a35b69469a12118776113e1f2b46ea9de9b8cf2bb4b042
Opcode Fuzzy Hash: 151ebce1a8b1bb49a373537606f5c99241a5b55cc1d685712532943faccb752d
Instruction Fuzzy Hash: 9811BB75504788CFCB11CF10D5C4B15BBA1FB84324F28C6AAD8098B656C33AD84ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0084D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.415655493.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_84d000_QUOTATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151ebce1a8b1bb49a373537606f5c99241a5b55cc1d685712532943faccb752d
Instruction ID: 7a56e4252892625d8f30c783ecb6cbb2a755b91a56171ed516232cd268d0c352
Opcode Fuzzy Hash: 151ebce1a8b1bb49a373537606f5c99241a5b55cc1d685712532943faccb752d
Instruction Fuzzy Hash: 13118B75904388DFCB12CF10D5C4B15BBA1FB84324F28C6A9D8498B656C37AE85ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0083D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.415628982.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_83d000_QUOTATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33143a459eb9721d8f88e176fea82eec50ddfed1948d0c42c5ce750d227308f3
Instruction ID: fa7d31d3d94a3a1dfd649c0d91a4c378662018454cd9dfde258032e6fbe14561
Opcode Fuzzy Hash: 33143a459eb9721d8f88e176fea82eec50ddfed1948d0c42c5ce750d227308f3
Instruction Fuzzy Hash: 7401267140C3849EE7105E25EDC4B66FB98FF81378F18C51AEE049B286D3789884CAF1

Uniqueness

Uniqueness Score: -1.00%

Function 0083D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.415628982.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_83d000_QUOTATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f095fdfa1d6e7705d7ef3776300d3b416c9f7365bc4e69ec15050ff76cc17d01
Instruction ID: 75dc99d25cd3dc3819d93b5d8dd2bfcca730ecce9ea5912ba93f11753d68072e
Opcode Fuzzy Hash: f095fdfa1d6e7705d7ef3776300d3b416c9f7365bc4e69ec15050ff76cc17d01
Instruction Fuzzy Hash: 49F096714083949EEB118E15DCC8B66FFA8FB91774F18C45AED085B386C3799C44CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00B1EED8 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.416122099.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_QUOTATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7110a47deea5cb0bb71e9303a8ca9f56dbeaf34b9436d7455dc260ec362182e6
Instruction ID: 61661d4894bec529e292326c125211ec8ad8a9ba3da4482d00a92a5a08a621d7
Opcode Fuzzy Hash: 7110a47deea5cb0bb71e9303a8ca9f56dbeaf34b9436d7455dc260ec362182e6
Instruction Fuzzy Hash: 6B1285F1411F46CAD730CF65ED9828D7BA1B745328BB04708D2616BAF1DBB8118AEF84

Uniqueness

Uniqueness Score: -1.00%

Function 00B1CC9C Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.416122099.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_QUOTATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5c3f2155261a7be2bcd0bf391cd6222b9de7f430676e674a458d9094d19b355
Instruction ID: 3bbac37078da0eb18e1aca570262f1b18791be1a0f45ec9982e9e65b8d622b12
Opcode Fuzzy Hash: e5c3f2155261a7be2bcd0bf391cd6222b9de7f430676e674a458d9094d19b355
Instruction Fuzzy Hash: 2CA16E32E002198FCF05DFA5D8445DEBBF2FF85300B5585BAE915AB225EB35E985CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00B1EEC8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.416122099.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_QUOTATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b68d253c98a67a78c159e84cf1dc5a973714bc7065d7233c91ac16e63553b0e
Instruction ID: 13de532bfa8cee1ecb7118179b7a5ccbdcfdef2e9b96aae5e786d9c36eaaca3a
Opcode Fuzzy Hash: 7b68d253c98a67a78c159e84cf1dc5a973714bc7065d7233c91ac16e63553b0e
Instruction Fuzzy Hash: F7C1F8B1811B46CAD720CF65ED9828D7BA1BB85328F704708D1616B6F0DFB8118AEF84

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: QUOTATION.exePID: 1052, Parent PID: 636COMMON

Execution Graph

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	112
Total number of Limit Nodes:	10

Executed Functions

Function 0292B6C0 Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0292B730
GetCurrentThread.KERNEL32 ref: 0292B76D
GetCurrentProcess.KERNEL32 ref: 0292B7AA
GetCurrentThreadId.KERNEL32 ref: 0292B803

Memory Dump Source

Source File: 00000005.00000002.632705997.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2920000_QUOTATION.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 7e0d5cfc76b5c790f0ad6706efc967aa098e8b12957c49334b5b0444c663ff2a
Instruction ID: e2280b3e5fa15d798d22975ce5462c90b1b6c1a0483ed602fa29ca60f1fcbf69
Opcode Fuzzy Hash: 7e0d5cfc76b5c790f0ad6706efc967aa098e8b12957c49334b5b0444c663ff2a
Instruction Fuzzy Hash: 125167B4E053448FDB10CFA9C6887DEBBF5EF48318F248499E059A7351C7745889CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0292B6D0 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0292B730
GetCurrentThread.KERNEL32 ref: 0292B76D
GetCurrentProcess.KERNEL32 ref: 0292B7AA
GetCurrentThreadId.KERNEL32 ref: 0292B803

Memory Dump Source

Source File: 00000005.00000002.632705997.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2920000_QUOTATION.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 67c5a2ceb29fabf8c8c9f7f4e8c75fcac322db8cdd967e26b87aa9f80a130674
Instruction ID: 870d018a7baf9de4e8daffd23f9fb42909807688d580e98e5290d07e883684c4
Opcode Fuzzy Hash: 67c5a2ceb29fabf8c8c9f7f4e8c75fcac322db8cdd967e26b87aa9f80a130674
Instruction Fuzzy Hash: E35144B4E057098FDB10CFA9C648BAEBBF5EF48328F208459E019A7350C7745889CF62

Uniqueness

Uniqueness Score: -1.00%

Function 029293E8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0292962E

Strings

HR, xrefs: 0292958B
HR, xrefs: 02929566

Memory Dump Source

Source File: 00000005.00000002.632705997.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2920000_QUOTATION.jbxd

Similarity

API ID: HandleModule
String ID: HR$HR
API String ID: 4139908857-4037001784
Opcode ID: c03fddc99f3ba96a242348fbe60bc17a737e475b84debb09e2323cf6c8a983c3
Instruction ID: 65875e639be8241d26a784d2326cff0f85295c4011ad2d6d33a08be6bbd43fe9
Opcode Fuzzy Hash: c03fddc99f3ba96a242348fbe60bc17a737e475b84debb09e2323cf6c8a983c3
Instruction Fuzzy Hash: 17713470A00B158FE724DF2AD04179AB7F5BF88314F108A2DD48AD7A54D734E849CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0292FAA0 Relevance: 1.7, APIs: 1, Instructions: 248
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0292FD0A

Memory Dump Source

Source File: 00000005.00000002.632705997.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2920000_QUOTATION.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 7fa250baf904ceead55257b89635b44876000a0aa43a37b17481909140bdf8cd
Instruction ID: 7ae6d45e39f8fb817087f6de4cbf10d5561f315fce688973bb896873e745059a
Opcode Fuzzy Hash: 7fa250baf904ceead55257b89635b44876000a0aa43a37b17481909140bdf8cd
Instruction Fuzzy Hash: 989170718093889FDB02CFA5C895ADDBFB1EF4A314F19819AE8849B262C734545ACF51

Uniqueness

Uniqueness Score: -1.00%

Function 05EE1A1C Relevance: 1.6, APIs: 1, Instructions: 140
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 05EE3180

Memory Dump Source

Source File: 00000005.00000002.641159533.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: true

Associated: 00000005.00000002.641142160.0000000005ED0000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5ed0000_QUOTATION.jbxd

Yara matches

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: c8df85ed526f713fce8141df8cfb7557cfe0e4f8129a2aa5043122bf756bfa70
Instruction ID: 350dca8f3a73ab6b631843b760a0664f7f2a17a234316f52835948193bcdb2b4
Opcode Fuzzy Hash: c8df85ed526f713fce8141df8cfb7557cfe0e4f8129a2aa5043122bf756bfa70
Instruction Fuzzy Hash: CB514370D143089FDF10CFA9C8806DEBBB1FF48318F20852AE855AB250DB74A846CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0292FBF8 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0292FD0A

Memory Dump Source

Source File: 00000005.00000002.632705997.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2920000_QUOTATION.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2189e85f03dc15f3ca0b80d6ad96b171d838285129b90615af83c795e2049010
Instruction ID: 63d21e3e9fd96050c92da8f5f2e0120fbc9fd21fb2e2affae8367d2e6aed80cd
Opcode Fuzzy Hash: 2189e85f03dc15f3ca0b80d6ad96b171d838285129b90615af83c795e2049010
Instruction Fuzzy Hash: 8E41C1B1D00319DFDB14CFA9C884ADEBBB5FF48314F24852AE819AB214D7749885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05EE0D10 Relevance: 1.6, APIs: 1, Instructions: 91
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 05EE0DE9

Memory Dump Source

Source File: 00000005.00000002.641159533.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: true

Associated: 00000005.00000002.641142160.0000000005ED0000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5ed0000_QUOTATION.jbxd

Yara matches

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: c8182a6e330e0ecc50521d140f63c5b55af43420f6e44cc86c8556bac92f2114
Instruction ID: 4678123e4f88cbc84837717ad689bce51835ad46cae066fcd1ae96af90d71c2a
Opcode Fuzzy Hash: c8182a6e330e0ecc50521d140f63c5b55af43420f6e44cc86c8556bac92f2114
Instruction Fuzzy Hash: A8318BB4E14218DFDB14DF68C488BAEBBF5EF48714F148029E446A7360DBB4A846CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0292BDC1 Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0292BD87

Memory Dump Source

Source File: 00000005.00000002.632705997.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2920000_QUOTATION.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0455c9b04a8728e2635ee7e1c053966480daad6bad925b255cffd09d7bd88d11
Instruction ID: 4d4125b44150fbfaa9c6f7c87943941e5860ef87309a3db34b3f2ae2420679f1
Opcode Fuzzy Hash: 0455c9b04a8728e2635ee7e1c053966480daad6bad925b255cffd09d7bd88d11
Instruction Fuzzy Hash: 77414CBCA80244DFE7419F74F648BAA7BB5EB88301F104629EA168B7C5DB7518A5CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0292BCF9 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0292BD87

Memory Dump Source

Source File: 00000005.00000002.632705997.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2920000_QUOTATION.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a43a6a552496da2777041058040d0742d27e02b60d6cb92dfdbf2222e80d39e2
Instruction ID: 759db7235f02bd6273e15e3af476aa385cdfe0a1f55cd59ba22474888866fd03
Opcode Fuzzy Hash: a43a6a552496da2777041058040d0742d27e02b60d6cb92dfdbf2222e80d39e2
Instruction Fuzzy Hash: 312103B5D012099FCB00CFA9D584AEEBFF4EF48324F14841AE958A3310C378A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0292BD00 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0292BD87

Memory Dump Source

Source File: 00000005.00000002.632705997.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2920000_QUOTATION.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 861cf439e5aca6d8c8cfe2cec57801f0fd18fba610cbf2dc7bbb46f3749a92ef
Instruction ID: c2e055a42000c361a6679b4f5ac299823f3c85a7cf98015079883bf23461d647
Opcode Fuzzy Hash: 861cf439e5aca6d8c8cfe2cec57801f0fd18fba610cbf2dc7bbb46f3749a92ef
Instruction Fuzzy Hash: E021C4B5D04219DFDB10CF9AD584ADEBBF8FB48324F14841AE958A3310D378A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02929849 Relevance: 1.6, APIs: 1, Instructions: 56
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,029296A9,00000800,00000000,00000000), ref: 029298BA

Memory Dump Source

Source File: 00000005.00000002.632705997.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2920000_QUOTATION.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 20b7c08ae923ecf9e64e87aae67378c7bb4d35b9aa1fc84b74a212721cca1b1f
Instruction ID: 81047cb278e248bdabd1ebf4bc1a77c0ed485286ce777e23d182f1c11c0e9d9d
Opcode Fuzzy Hash: 20b7c08ae923ecf9e64e87aae67378c7bb4d35b9aa1fc84b74a212721cca1b1f
Instruction Fuzzy Hash: 501106B6D042098FDB10CFAAC444ADEFBF4AB48324F14842ED559A7200C375A54ACFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02928768 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,029296A9,00000800,00000000,00000000), ref: 029298BA

Memory Dump Source

Source File: 00000005.00000002.632705997.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2920000_QUOTATION.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8827896e847b3ab6bdeec2396eff0e6dfbe4eb48e46864b7c6125b34cf258934
Instruction ID: 064cf548fe6ae2abc2ba9e669f817b43be48e5594aeddcac91c051d4edb96f8b
Opcode Fuzzy Hash: 8827896e847b3ab6bdeec2396eff0e6dfbe4eb48e46864b7c6125b34cf258934
Instruction Fuzzy Hash: 541103B6D042098FDB10CF9AC444BDEFBF8EB48324F14842EE519A7600C374A949CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 029295C8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0292962E

Memory Dump Source

Source File: 00000005.00000002.632705997.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2920000_QUOTATION.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bae90b532ef092564dcc7d9b7d44fd5be7f64145ee5b1b6ae63542b9ae849700
Instruction ID: 3cd0d6e44bf2e4d0459a60ce36ba6464b25ef90a2a3419ec962705bb0514e770
Opcode Fuzzy Hash: bae90b532ef092564dcc7d9b7d44fd5be7f64145ee5b1b6ae63542b9ae849700
Instruction Fuzzy Hash: 6811E3B5D006598FDB10CF9AC444BDEFBF8AB88324F14845AD469A7600C374A549CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0292FE38 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0292FE9D

Memory Dump Source

Source File: 00000005.00000002.632705997.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2920000_QUOTATION.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 4aeac2578de66018158898a436740515a714604d9174322910aae0c143c2d07a
Instruction ID: 9a8fdc5b32c995ef13dd5301802b336f37bebf4d9b2c76279787bd385e6f92b8
Opcode Fuzzy Hash: 4aeac2578de66018158898a436740515a714604d9174322910aae0c143c2d07a
Instruction Fuzzy Hash: 301103B5900249DFDB10CF99D585BDEBBF8EB48324F14845AD858A7701C374A985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0292FE40 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0292FE9D

Memory Dump Source

Source File: 00000005.00000002.632705997.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2920000_QUOTATION.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: aa8dd0f6252bb9e217e236e10665c09bc52f8eb64320497b09c56dba475bd4d6
Instruction ID: 569c382d2667c7a0651d220eafc74d530eec5a3a04511ffc78660de02b7aa1d1
Opcode Fuzzy Hash: aa8dd0f6252bb9e217e236e10665c09bc52f8eb64320497b09c56dba475bd4d6
Instruction Fuzzy Hash: 031103B59002098FDB10CF99D584BDEBBF8EB48324F10845AD858A3700C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EBD4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.632168333.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ebd000_QUOTATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad9a37c857a7e32b5b7e06a7407e2458dd5173e28d8603caa0f60e49023643d1
Instruction ID: ebc48557bf819da2a428f4f93c62c3ade56c5be6d9a46ba0a2b92b474439a54a
Opcode Fuzzy Hash: ad9a37c857a7e32b5b7e06a7407e2458dd5173e28d8603caa0f60e49023643d1
Instruction Fuzzy Hash: 132145B1508244DFDB25DF00DDC0BA7BF65FB88328F24C568E9095B246D336D846CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EBD3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.632168333.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ebd000_QUOTATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 603940e28dfd19a16ea0f1881ebe301b52f530d536dd710d7b91c4940850b4ac
Instruction ID: e5b0a79dae4d87cc14128084342f57077a4b19dea98f6a8871dc02ace4817e37
Opcode Fuzzy Hash: 603940e28dfd19a16ea0f1881ebe301b52f530d536dd710d7b91c4940850b4ac
Instruction Fuzzy Hash: CC2167B1508244DFCB01DF10DDC0BA7BBA5FB84328F24C569E9096B246D336E856CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00ECD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.632206369.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ecd000_QUOTATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e146176480dc78e360b1e6f2debf0b1f5f17b78a6983d80c6c413bcff90863e
Instruction ID: 18e3df07d4fdf7722f1f56ef9d4a0486af1bc661df01c4e2eac719cf7eb40910
Opcode Fuzzy Hash: 1e146176480dc78e360b1e6f2debf0b1f5f17b78a6983d80c6c413bcff90863e
Instruction Fuzzy Hash: 9B21C175508244DFCB14DF18DAC1F16BBA6EB84328F24C97DE9095B246C33BD847CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 00ECD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.632206369.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ecd000_QUOTATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27aa1812f68f8b976656416a1ed815923d2c08f5819b2cb35b14d61443399016
Instruction ID: b067445403a8b1439750afbea423a5f55db05a8a39e98d97230259d82f3ae72d
Opcode Fuzzy Hash: 27aa1812f68f8b976656416a1ed815923d2c08f5819b2cb35b14d61443399016
Instruction Fuzzy Hash: 00217F755093808FDB12CF24D990B15BF71EB46214F28C5EAD8498B697C33B980BCB62

Uniqueness

Uniqueness Score: -1.00%

Function 00EBD3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.632168333.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ebd000_QUOTATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e12181f863a64cfe501b52ed0dc6072a2b21c790c3d1261feacc9d3857e76c6
Instruction ID: cded3a7ea5b6f40dd503190b8f4042d0f58a85ee0f062299caa904a269d2f8f7
Opcode Fuzzy Hash: 9e12181f863a64cfe501b52ed0dc6072a2b21c790c3d1261feacc9d3857e76c6
Instruction Fuzzy Hash: 68113872404280CFCF12CF10D9C0B56BF71FB84328F24C6A9D8040B616C33AE85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EBD49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.632168333.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ebd000_QUOTATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e12181f863a64cfe501b52ed0dc6072a2b21c790c3d1261feacc9d3857e76c6
Instruction ID: 52bcfe877a426cf803a88a54547647d8443f018ec60793742f6648f20444dba5
Opcode Fuzzy Hash: 9e12181f863a64cfe501b52ed0dc6072a2b21c790c3d1261feacc9d3857e76c6
Instruction Fuzzy Hash: FF11E676908284CFCF12CF14D9C4B56BF71FB84328F24C6A9D9051B656D336D85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report QUOTATION.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

Stealing of Sensitive Information

Remote Access Functionality

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION.exe.log

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
QUOTATION.exe

Function 00B19E30 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Function 00B1B69C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 00B1C358 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 00B198A0 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 00B1A290 Relevance: 1.6, APIs: 1, Instructions: 53
libraryCOMMON

Function 00B1A009 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 00B1A010 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 0292B6C0 Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Function 0292B6D0 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Function 029293E8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 194
COMMON

Function 0292FAA0 Relevance: 1.7, APIs: 1, Instructions: 248
COMMON